Conversation
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflows to address Zizmor/security recommendations around credential handling during actions/checkout.
Changes:
- Set
persist-credentials: falseonactions/checkoutacross test jobs and the lint workflow. - Adjust the release workflow’s checkout credential persistence behavior.
- Refactor the lint workflow to pass the Python path via an environment variable.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/test.yml |
Hardens checkout by disabling persisted credentials across OS test jobs and coverage combine. |
.github/workflows/release.yml |
Makes checkout credential persistence explicit and adjusts setup-uv configuration. |
.github/workflows/lint.yml |
Disables persisted checkout credentials and attempts to centralize the Python path into env. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 |
There was a problem hiding this comment.
env.PYTHON_PATH is set from ${{ steps.sp.outputs.python-path }}, but the steps context isn’t available in job-level env, and the setup-python step doesn’t have id: sp here. This will cause the workflow to fail expression evaluation. Keep using ${{ steps.<id>.outputs.python-path }} directly in the later run: block, or add id: sp to setup-python and set PYTHON_PATH via $GITHUB_ENV in a step after setup-python.
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | ||
| with: | ||
| persist-credentials: true | ||
| - name: Set up Python |
There was a problem hiding this comment.
persist-credentials: true leaves the repository token in the local git config for subsequent steps. In this workflow the checkout credentials don’t appear to be needed for any write operation; if the only reason is the later git fetch, consider avoiding persisted credentials by fetching tags during checkout (e.g., full fetch/tags) or otherwise scoping auth to only the fetch command, and set persist-credentials: false.
| with: | ||
| python-version: ">=3.11" # for tomlib | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b |
There was a problem hiding this comment.
setup-uv caching is enabled in other workflows (e.g., .github/workflows/test.yml and lint.yml) but was removed here. If this wasn’t intentional, it will slow down release builds; consider restoring enable-cache: true for consistency and performance.
| uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b | |
| uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b | |
| with: | |
| enable-cache: true |
No description provided.