Skip to content

ci: harden all workflows against CI best practices checklist#57

Merged
github-actions[bot] merged 1 commit into
mainfrom
ci/pipeline-hardening
Jun 4, 2026
Merged

ci: harden all workflows against CI best practices checklist#57
github-actions[bot] merged 1 commit into
mainfrom
ci/pipeline-hardening

Conversation

@SebTardif

@SebTardif SebTardif commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Systematically closes all gaps identified by comparing the CI pipeline against our CI skills checklist (ci-workflow-hygiene, ci-workflow-structure, ci-github-actions-gotchas).

Changes

Security hardening

  • Add step-security/harden-runner@v2.12.0 as first step in all 17 jobs across 11 workflows (egress-policy: audit)
  • Fix github.actor (unreliable) to github.event.pull_request.user.login in auto-approve, dependabot-auto-merge, and pr-title workflows
  • Move stale.yml write permissions from workflow level to job level (principle of least privilege)
  • Add CodeQL analysis to ruleset required status checks

Merge queue readiness

  • Add merge_group trigger to ci.yml and security.yml

Operational reliability

  • Add workflow_dispatch to auto-approve, dependabot-auto-merge, post-merge, and pr-title workflows
  • Add concurrency groups to auto-approve and post-merge workflows
  • Add links.yml to its own path filters (workflow changes now trigger link checks)

DRY improvements

  • Create .github/actions/setup-node composite action (Node.js setup + npm ci)
  • Deduplicate 5 identical setup sequences across ci.yml and security.yml

Checklist compliance

Item Before After
Concurrency groups 8/11 10/11
workflow_dispatch 7/11 11/11
harden-runner 0/17 17/17
merge_group on CI/security 0/2 2/2
CodeQL in required checks No Yes
Composite actions None setup-node
Workflow in own path filters Missing Fixed
Permissions at job level Partial Complete
Reliable PR author check 0/3 3/3

Signed-off-by: Sebastien Tardif seb@tardif.ca

@SebTardif
ci: harden all workflows against CI best practices checklist
f7c5afd 
- Add step-security/harden-runner to all 17 jobs (egress-policy: audit)
- Add merge_group trigger to ci.yml and security.yml for merge queue
- Add workflow_dispatch to auto-approve, dependabot-auto-merge,
  post-merge, and pr-title workflows
- Add concurrency groups to auto-approve and post-merge workflows
- Create composite action for Node.js setup (deduplicates 5 jobs)
- Fix github.actor to github.event.pull_request.user.login in
  auto-approve, dependabot-auto-merge, and pr-title workflows
- Move stale.yml write permissions from workflow to job level
- Add links.yml to its own path filters
- Add CodeQL analysis to ruleset required status checks

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@github-actions github-actions Bot enabled auto-merge (squash) June 4, 2026 22:40
@github-actions github-actions Bot merged commit 9748529 into main Jun 4, 2026
23 checks passed
@SebTardif SebTardif deleted the ci/pipeline-hardening branch June 24, 2026 22:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SebTardif