Skip to content

ci: secure GitHub Actions workflows#301

Merged
henryiii merged 6 commits into
mainfrom
henryiii/ci/secure-gha
Jun 29, 2026
Merged

ci: secure GitHub Actions workflows#301
henryiii merged 6 commits into
mainfrom
henryiii/ci/secure-gha

Conversation

@henryiii

@henryiii henryiii commented May 22, 2026

Copy link
Copy Markdown
Collaborator

Used my secure-ci skill, and tweaked a bit.

🤖 Human guided, AI assisted PR (using this skill). AI text below. 🤖

Summary

Secure the repository's GitHub Actions workflows following zizmor pedantic audit and best practices.

Changes

  • Pin all GHA actions to SHA hashes with version comments (14 actions across 3 workflows + codecov)
  • Add zizmor pre-commit hook and .github/zizmor.yaml config for ongoing auditing
  • Fix checks.yml: added permissions: {}, concurrency group, persist-credentials: false, job name
  • Fix release.yml: added permissions: {}, concurrency group, persist-credentials: false, job-level permissions with explanatory comments, contents: read for build job
  • Fix tests.yml: added permissions: {}, persist-credentials: false, job names for pytest and required-checks-pass
  • Update .github/dependabot.yml: switched to monthly schedule, added 7-day cooldown, added pre-commit ecosystem, updated group name from actions to github-actions
  • Freeze all pre-commit hook revs to SHA pins via prek auto-update --freeze --cooldown-days 7
  • Add tool.uv.exclude-newer = "7 days" cooldown to pyproject.toml

Assisted-by: OpenCode:glm-5

@henryiii
henryiii force-pushed the henryiii/ci/secure-gha branch 2 times, most recently from 5723b1a to d746296 Compare May 22, 2026 18:20
@henryiii
henryiii force-pushed the henryiii/ci/secure-gha branch from d746296 to 2e90033 Compare June 29, 2026 21:04
henryiii added 4 commits June 29, 2026 17:18
- Pin all GHA actions to SHA hashes with version comments
- Add zizmor pre-commit hook and .github/zizmor.yaml config
- Add permissions: {} to all workflows, job-level permissions where needed
- Add persist-credentials: false to all checkout steps
- Add concurrency groups to checks.yml and release.yml
- Add job names for anonymous job definitions
- Add explanatory comments for release-pypi permissions
- Update dependabot.yml: monthly schedule, cooldown, pre-commit ecosystem
- Freeze all pre-commit hook revs to SHA pins
- Add tool.uv.exclude-newer = "7 days" cooldown

Assisted-by: OpenCode:glm-5
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
@henryiii
henryiii force-pushed the henryiii/ci/secure-gha branch from 2e90033 to 845d0e1 Compare June 29, 2026 21:19
These two jobs are required status checks in branch protection,
which matches by check name. Renaming them (via `name:`) would
break the required-check matching, and editing the required-jobs
config needs permissions we don't have.

Drop the added `name:` and suppress zizmor's pedantic
anonymous-definition audit inline for just these two jobs.

Assisted-by: ClaudeCode:claude-opus-4.8
Comment thread .github/workflows/checks.yml Outdated
@henryiii
henryiii merged commit 8c6d591 into main Jun 29, 2026
24 checks passed
@henryiii
henryiii deleted the henryiii/ci/secure-gha branch June 29, 2026 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant