Skip to content

chore(dev): secure CI workflows#101

Merged
2bndy5 merged 1 commit intomainfrom
review-ci
Nov 11, 2025
Merged

chore(dev): secure CI workflows#101
2bndy5 merged 1 commit intomainfrom
review-ci

Conversation

@2bndy5
Copy link
Member

@2bndy5 2bndy5 commented Nov 11, 2025
edited
Loading

This hardens security for CI workflows.

  • do not persist git credentials when git push is not used
  • third-party actions are pinned to SHA (instead of a rolling major version tag)
  • caching prevented in situations where poisoned caches might affect deployments
  • explicitly remove any inherited (global) permissions for github.token
  • explicitly grant github.token permissions where needed (per job). Includes explanatory comments.
  • prevent caching installed executable binaries (via cargo [b]install)
  • other Quality of Life improvements that don't change behavior
  • add job (in pre-commit CI) to lint CI workflows using zizmor. Most of the above concerns were made to address zizmor warnings/errors.

@2bndy5
chore(dev): secure CI workflows
179cbd7 
This hardens security for CI workflows.

- do not persist git credentials when `git push` is not used
- third-party actions are pinned to SHA (instead of a rolling major version tag)
- caching prevented in situations where poisoned caches might affect deployments
- explicitly remove any inherited (global) permissions for `github.token`
- explicitly grant `github.token` permissions where needed (per job).
  Includes explanatory comments.
- prevent caching installed executable binaries (via cargo [b]install)
- other Quality of Life improvements that don't change behavior
- add job (in pre-commit CI) to lint CI workflows using zizmor.
  Most of the above concerns were made to address zizmor warnings/errors.
@2bndy5 2bndy5 added the github_actions Pull requests that update GitHub Actions code label Nov 11, 2025
@codecov
Copy link

codecov bot commented Nov 11, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.63%. Comparing base (3b0771a) to head (179cbd7).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #101   +/-   ##
=======================================
  Coverage   99.63%   99.63%           
=======================================
  Files          22       22           
  Lines        2734     2734           
=======================================
  Hits         2724     2724           
  Misses         10       10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@2bndy5 2bndy5 merged commit 9297842 into main Nov 11, 2025
41 checks passed
@2bndy5 2bndy5 deleted the review-ci branch November 11, 2025 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@2bndy5