You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Every uses: is a floating tag (actions/checkout@v4, oven-sh/setup-bun@v2, raven-actions/actionlint@v2, actions/github-script@v8, ...). setup-bun runs inside publish jobs that hold id-token: write and NPM_TOKEN, so a compromised tag there could exfiltrate the token or mint bad provenance. Pinning the publish chain to SHAs is the highest-value slice.
.github/renovate.json extends helpers:pinGitHubActionDigests with automerge rules, but the Renovate app isn't installed; zero Renovate PRs exist. Either install it (the config is ready) or delete the config.
No job anywhere sets timeout-minutes, so a hang burns the 6-hour default. codeql.yml and gitleaks.yml have no concurrency groups, so rapid pushes double-run them.
Branch protection on main requires the three CI checks but zero approving reviews, doesn't require CodeQL or the secret scan, and doesn't require branches to be up to date before merge.
A few related gaps in the workflows:
uses:is a floating tag (actions/checkout@v4,oven-sh/setup-bun@v2,raven-actions/actionlint@v2,actions/github-script@v8, ...). setup-bun runs inside publish jobs that holdid-token: writeand NPM_TOKEN, so a compromised tag there could exfiltrate the token or mint bad provenance. Pinning the publish chain to SHAs is the highest-value slice..github/renovate.jsonextendshelpers:pinGitHubActionDigestswith automerge rules, but the Renovate app isn't installed; zero Renovate PRs exist. Either install it (the config is ready) or delete the config.timeout-minutes, so a hang burns the 6-hour default. codeql.yml and gitleaks.yml have no concurrency groups, so rapid pushes double-run them.