ci: harden GitHub Actions workflows#109
Merged
flavorjones merged 8 commits intomasterfrom Mar 20, 2026
Merged
Conversation
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Hardens this repository’s GitHub Actions configuration by tightening default token permissions, pinning actions, and adding CI auditing for workflows to reduce supply-chain and misconfiguration risk.
Changes:
- Set workflow-level
permissions: {}and define least-privilege permissions per job across workflows. - Pin GitHub Actions to commit SHAs and disable persisted checkout credentials (
persist-credentials: false). - Add a new “GitHub Actions audit” CI job running
actionlintandzizmor; adjust Dependabot cooldown defaults.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test.yml | Locks down permissions, pins actions, and adds an actionlint/zizmor audit job. |
| .github/workflows/sensitive-change-gate.yml | Moves permissions to job-level and documents pull_request_target risk acceptance. |
| .github/workflows/security.yml | Pins actions, scopes permissions per job, and disables persisted credentials on checkout. |
| .github/workflows/scorecard.yml | Removes workflow-wide permissions and pins actions while keeping required job permissions. |
| .github/workflows/release.yml | Pins actions, scopes permissions, and disables persisted checkout credentials for release jobs. |
| .github/workflows/direct-push-alert.yml | Moves permissions to job-level and sets workflow-level permissions to none. |
| .github/workflows/dependabot-auto-merge.yml | Tightens bot gating condition and pins Dependabot metadata action. |
| .github/workflows/ai-labeler.yml | Moves permissions to job-level and documents pull_request_target risk acceptance. |
| .github/dependabot.yml | Increases default cooldown window to reduce Dependabot PR frequency. |
[!TIP]
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or rungh pr ready --undo.
Click "Ready for review" or rungh pr readyto reengage.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Suppress dangerous-triggers in ai-labeler and sensitive-change-gate (both only call reusable workflows, no PR code checked out) - Fix bot-conditions with dual check in dependabot-auto-merge - Suppress cache-poisoning in release (branch-isolated default cache) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add persist-credentials: false to all checkout steps (artipacked) - Increase gomod dependabot cooldown default-days to 7 (dependabot-cooldown) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace overly broad workflow-level permissions with permissions: {}
in ai-labeler, direct-push-alert, and sensitive-change-gate. Each
job already declares its own scoped permissions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move workflow-level permissions to permissions: {} in scorecard and
test workflows, adding explicit job-level permissions for each job.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
flavorjones
force-pushed
the
harden-github-actions
branch
from
83b662a to
55b803a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: {}at workflow levelTest plan
🤖 Generated with Claude Code