Skip to content

feat: Apply security best practices#265

Merged
patrick-stephens merged 8 commits into
telemetryforge:mainfrom
step-security-bot:chore/GHA-301121-stepsecurity-remediation
Apr 30, 2026
Merged

feat: Apply security best practices#265
patrick-stephens merged 8 commits into
telemetryforge:mainfrom
step-security-bot:chore/GHA-301121-stepsecurity-remediation

Conversation

@step-security-bot

@step-security-bot step-security-bot commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This pull request is created by StepSecurity at the request of @patrick-stephens. Please merge the Pull Request to incorporate the requested changes. Please tag @patrick-stephens on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io


Summary by cubic

Hardened CI by enforcing least-privilege tokens, adding PR dependency review and OpenSSF Scorecard, and introducing .pre-commit hooks. Also formatted workflow YAML (no behavior change) and removed CodeQL and Dependabot updates for now.

  • New Features
    • Set permissions: contents: read across build, test, release, and maintenance workflows.
    • Added actions/dependency-review-action on PRs (fails on high severity; comments a summary).
    • Added ossf/scorecard-action on a weekly schedule and on pushes to main; uploads SARIF to code scanning.
    • Introduced .pre-commit hooks for secrets and linting.

Written for commit 2a7cf61. Summary will update on new commits. Review in cubic

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@step-security-bot step-security-bot requested a review from a team as a code owner April 30, 2026 11:21
Comment thread .github/dependabot.yml
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/codeql.yml Outdated
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
Signed-off-by: Patrick Stephens <pat@telemetryforge.io>
@patrick-stephens patrick-stephens merged commit 9e422a5 into telemetryforge:main Apr 30, 2026
19 of 23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants