ci: secure GitHub Actions workflows#301
Merged
Merged
Conversation
henryiii
force-pushed
the
henryiii/ci/secure-gha
branch
2 times, most recently
from
May 22, 2026 18:20
5723b1a to
d746296
Compare
henryiii
force-pushed
the
henryiii/ci/secure-gha
branch
from
June 29, 2026 21:04
d746296 to
2e90033
Compare
- Pin all GHA actions to SHA hashes with version comments
- Add zizmor pre-commit hook and .github/zizmor.yaml config
- Add permissions: {} to all workflows, job-level permissions where needed
- Add persist-credentials: false to all checkout steps
- Add concurrency groups to checks.yml and release.yml
- Add job names for anonymous job definitions
- Add explanatory comments for release-pypi permissions
- Update dependabot.yml: monthly schedule, cooldown, pre-commit ecosystem
- Freeze all pre-commit hook revs to SHA pins
- Add tool.uv.exclude-newer = "7 days" cooldown
Assisted-by: OpenCode:glm-5
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
henryiii
force-pushed
the
henryiii/ci/secure-gha
branch
from
June 29, 2026 21:19
2e90033 to
845d0e1
Compare
These two jobs are required status checks in branch protection, which matches by check name. Renaming them (via `name:`) would break the required-check matching, and editing the required-jobs config needs permissions we don't have. Drop the added `name:` and suppress zizmor's pedantic anonymous-definition audit inline for just these two jobs. Assisted-by: ClaudeCode:claude-opus-4.8
henryiii
commented
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Used my secure-ci skill, and tweaked a bit.
🤖 Human guided, AI assisted PR (using this skill). AI text below. 🤖
Summary
Secure the repository's GitHub Actions workflows following zizmor pedantic audit and best practices.
Changes
.github/zizmor.yamlconfig for ongoing auditingchecks.yml: addedpermissions: {}, concurrency group,persist-credentials: false, job namerelease.yml: addedpermissions: {}, concurrency group,persist-credentials: false, job-level permissions with explanatory comments,contents: readfor build jobtests.yml: addedpermissions: {},persist-credentials: false, job names for pytest and required-checks-pass.github/dependabot.yml: switched to monthly schedule, added 7-day cooldown,added pre-commit ecosystem, updated group name fromactionstogithub-actionsprek auto-update --freeze --cooldown-days 7tool.uv.exclude-newer = "7 days"cooldown topyproject.tomlAssisted-by: OpenCode:glm-5