[SECURITY] Harden GitHub Workflows Pt. 2#496
Merged
John McCall (lowlydba) merged 1 commit intodevfrom Apr 9, 2026
Merged
Conversation
Signed-off-by: John McCall <john@overturemaps.org>
🗺️ Schema reference docs preview is live!
Note ♻️ This preview updates automatically with each push to this PR. |
Alex Iannicelli (atiannicelli)
approved these changes
Apr 9, 2026
Contributor
Alex Iannicelli (atiannicelli)
left a comment
Alex Iannicelli (atiannicelli)
left a comment
There was a problem hiding this comment.
fine by me
There was a problem hiding this comment.
Pull request overview
Hardens GitHub Actions workflows to satisfy the intended higher (“pedantic”) security posture (zizmor), primarily by tightening default token permissions, adding concurrency controls, and reducing direct template expansions in shell contexts.
Changes:
- Add workflow-level
permissions: contents: readdefaults and more explicit job permissions where needed. - Add
concurrencygroups to reduce duplicate/colliding runs. - Refactor some shell steps to use environment variables instead of direct
${{ ... }}expansions (and add zizmor ignore annotations).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test-schema.yaml | Adds workflow permissions defaults, concurrency, and job naming. |
| .github/workflows/schema-pr-preview.yml | Adds explanatory permission comments and uses env vars for PR number in deployment commands; adds a suppression for template-injection. |
| .github/workflows/schema-pr-preview-cleanup.yml | Adds concurrency and uses env vars for PR number in cleanup commands; adds suppression annotations. |
| .github/workflows/reusable-check-python-package-versions.yaml | Adds workflow permissions defaults and job naming; adds a zizmor ignore annotation near an env expression. |
| .github/workflows/publish-python-packages.yaml | Adds concurrency and job naming; refactors publish step to use env vars for matrix fields with zizmor suppressions. |
| .github/workflows/enforce-change-type-label.yaml | Adds workflow permissions defaults, concurrency, and job naming. |
| .github/workflows/check-python-package-versions.yaml | Moves id-token: write from workflow to job-level and adds concurrency. |
| .github/workflows/check-python-code.yaml | Adds workflow permissions defaults, concurrency, and job naming. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adam Lastowka (Rachmanin0xFF)
approved these changes
Apr 9, 2026
John McCall (lowlydba)
deleted the
495-devops-followup-github-workflow-hardening
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Major change release plan
Non-Major change
B. Related MINOR change steps
Non-minor change
C. Public documentation and messaging plan
N/A
Description
The original PR (#493) was accidentally targeting fixes only for a subset of the desired risk level. This closes the gap, and we can confirm it now by the temporary, secondary
OMF Security Checksworkflow that is using the desiredpedanticlevel.Prior, due to repo settings it wasn't easily testable until after the workflow had been set as Required.
Reference
N/A
Testing
Proof of pedantic passing (logs):