Conversation
- Add persist-credentials: false to all checkout steps (artipacked)
- Add permissions: {} at workflow level and contents: read per job (excessive-permissions)
- Add cooldown: default-days: 10 to all dependabot ecosystems (dependabot-cooldown)
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions and Dependabot configuration by pinning actions, tightening GITHUB_TOKEN permissions to least-privilege, and adding CI checks for workflow security/linting.
Changes:
- Pin GitHub Actions to full commit SHAs and disable persisted checkout credentials.
- Set workflow-level
permissions: {}and grant per-job permissions. - Add a “GitHub Actions audit” job running
actionlintandzizmor, and update Dependabot configuration (grouping/cooldown).
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/ci.yml |
Pins actions by SHA, adds actionlint/zizmor job, and applies least-privilege job permissions. |
.github/dependabot.yml |
Adds grouping for GitHub Actions updates and configures cooldown for update PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| lint: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
actions/cache typically requires actions: write permission on GITHUB_TOKEN to save/update caches. With workflow-level permissions: {} and only contents: read here, the cache step may fail with "Resource not accessible by integration". Consider granting actions: write for this job (keep contents: read).
| contents: read | |
| contents: read | |
| actions: write |
There was a problem hiding this comment.
GitHub Actions cache works with the implicit runner credentials, not GITHUB_TOKEN permissions. The actions/cache permission mapping confirms it needs no token permissions. See the permission-mappings reference.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
This job uses caching (via ruby/setup-ruby with bundler-cache: true, and also uploads artifacts on failure). With workflow-level permissions: {} and only contents: read granted here, cache/artifact steps can fail because they typically require actions: write on GITHUB_TOKEN. Consider adding actions: write to this job’s permissions.
There was a problem hiding this comment.
Cache operations use implicit runner credentials, not GITHUB_TOKEN. contents: read is sufficient. The setup-ruby and actions/cache actions don't require additional permissions for caching.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
This job enables bundler-cache: true in ruby/setup-ruby, which uses the GitHub Actions cache API. With only contents: read granted, the cache save step can fail under restricted GITHUB_TOKEN permissions. Consider adding actions: write to this job’s permissions.
There was a problem hiding this comment.
Cache operations use implicit runner credentials, not GITHUB_TOKEN. contents: read is sufficient. The setup-ruby and actions/cache actions don't require additional permissions for caching.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - package-ecosystem: bundler | ||
| directory: "/" | ||
| schedule: | ||
| interval: weekly | ||
| open-pull-requests-limit: 10 | ||
| cooldown: | ||
| default-days: 10 | ||
| - package-ecosystem: github-actions | ||
| directory: "/" | ||
| groups: | ||
| github-actions: | ||
| patterns: | ||
| - "*" |
There was a problem hiding this comment.
PR description says dependabot is configured with “weekly batching … on all ecosystems”, but only the github-actions ecosystem is grouped. If batching is intended for bundler too, add a groups: section for the bundler entry (or adjust the PR description if bundler grouping is intentionally out of scope).
There was a problem hiding this comment.
Batching is only configured for github-actions because that's the ecosystem that generates the most individual PRs (one per action update). Bundler updates are already naturally fewer.
flavorjones
force-pushed
the
flavorjones/harden-github-actions
branch
from
3509588 to
ff4f8bd
Compare
Add semver-major-days/semver-minor-days/semver-patch-days so low-risk patches flow faster while major bumps get more soak time.
Install actionlint, shellcheck, and zizmor in bin/setup so developers have the tools available. Run actionlint and zizmor as CI steps so workflow issues are caught locally before pushing.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| step "Lint: GitHub Actions (actionlint)", "actionlint" | ||
| step "Lint: GitHub Actions (zizmor)", "zizmor ." |
There was a problem hiding this comment.
These bin/ci steps invoke actionlint and zizmor as global executables, which will make bin/ci fail on machines where those tools aren’t installed (and bin/setup currently only installs them via brew/pacman). Consider either vendoring/wrapping them under bin/ (consistent with rubocop/brakeman), or adding a preflight check that prints a clear installation hint before running the steps.
| cooldown: | ||
| semver-major-days: 7 | ||
| semver-minor-days: 3 | ||
| semver-patch-days: 2 | ||
| default-days: 7 |
There was a problem hiding this comment.
PR description says “10-day cooldown on all ecosystems”, but the bundler entry sets default-days: 7 (and semver-specific values). Either update the bundler cooldown values to match the described 10-day policy, or adjust the PR description to reflect the actual configuration.
Summary
permissions: {}at workflow levelTest plan
zizmor .