ci: harden GitHub Actions workflows#18
Merged
flavorjones merged 9 commits intomainfrom Mar 20, 2026
Merged
Conversation
Add a lint-actions job near the existing lint job to audit GitHub Actions workflows on every push and PR to main. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Increase cooldown from 2 to 7 days for github-actions ecosystem to allow more soak time before updates are proposed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Run actionlint and zizmor locally via `make lint-actions`, included in the full `check-all` suite. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Run pinact to ensure all action references include full version comments alongside their SHA pins. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Apply dual bot-conditions check on dependabot-auto-merge workflows - Suppress dangerous-triggers on pull_request_target workflows that only run trusted actions (no PR code checkout) - Move excessive-permissions to job-level in release workflows - Suppress cache-poisoning on branch-isolated caches in release workflows Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix ref-version-mismatch in seed workflows (update version comments) - Suppress secrets-outside-env on private module tokens in seed CI workflows where environment protection would block PR-triggered runs - Move excessive-permissions to job-level in seed/security.yml Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add persist-credentials: false to all checkout steps (artipacked) - Fix dependabot cooldown: add default-days: 7 to gomod ecosystem - Fix seed dependabot cooldown: add default-days: 7 to both ecosystems Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Set permissions: {} at workflow level for all single-job and multi-job
workflows, with scoped permissions on each job. This ensures every job
starts with zero permissions and fails safe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move top-level permissions to permissions: {} for test.yml, security.yml,
scorecard.yml and all corresponding seed workflows. Add per-job
permissions: contents: read to every job.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions configuration by reducing default token permissions, pinning third-party actions, and adding workflow linting/auditing to CI and local tooling.
Changes:
- Set workflow-level
permissions: {}and move required permissions down to individual jobs. - Pin/update GitHub Actions dependencies (and add
persist-credentials: falseto checkouts) to improve supply-chain posture. - Add a GitHub Actions audit job (actionlint + zizmor) to CI and a
make lint-actionstarget; update Dependabot cooldowns.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Adds lint-actions target and includes it in check-all. |
| .github/dependabot.yml | Updates cooldown defaults and normalizes directory: "/" for GitHub Actions updates. |
| .github/workflows/test.yml | Pins action versions, job-scopes permissions, and adds a CI job to run actionlint + zizmor. |
| .github/workflows/security.yml | Pins action versions, job-scopes permissions, and hardens checkout credentials handling. |
| .github/workflows/scorecard.yml | Switches to workflow-level permissions: {} and pins SARIF upload action. |
| .github/workflows/release.yml | Switches to workflow-level permissions: {}, job-scopes permissions, and hardens checkout configuration. |
| .github/workflows/labeler.yml | Moves permissions to job-level for pull_request_target labeler workflow. |
| .github/workflows/ai-labeler.yml | Moves permissions to job-level for reusable AI labeling workflows. |
| .github/workflows/sensitive-change-gate.yml | Moves permissions to job-level for reusable sensitive change gating workflow. |
| .github/workflows/direct-push-alert.yml | Moves permissions to job-level for reusable direct-push alert workflow. |
| .github/workflows/dependabot-auto-merge.yml | Moves permissions to job-level, strengthens Dependabot bot checks, pins fetch-metadata action. |
| seed/.github/dependabot.yml | Updates Dependabot cooldown defaults in the seed template. |
| seed/.github/workflows/test.yml | Applies job-level permissions, pins action versions, and hardens checkout in the seed test workflow. |
| seed/.github/workflows/security.yml | Applies job-level permissions, pins action versions, and hardens checkout in the seed security workflow. |
| seed/.github/workflows/scorecard.yml | Applies job-level permissions and pins SARIF upload action in the seed scorecard workflow. |
| seed/.github/workflows/release.yml | Applies job-level permissions, pins action versions, and hardens checkout in the seed release workflow. |
| seed/.github/workflows/labeler.yml | Applies job-level permissions for seed labeler workflow. |
| seed/.github/workflows/ai-labeler.yml | Applies job-level permissions and hardens checkout for seed AI labeling workflow. |
| seed/.github/workflows/dependabot-auto-merge.yml | Applies job-level permissions and strengthens bot conditions for seed Dependabot auto-merge workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: {}at workflow levelTest plan
🤖 Generated with Claude Code