ci: harden workflow with SHA pins, permissions, timeouts, and dependabot#352
Merged
Conversation
- Pin all actions to Node 24-capable full SHAs (checkout v6.0.2, setup-python v6.2.0, upload-artifact v7.0.1) - Add least-privilege permissions (contents: read) and concurrency cancellation - Pin python-version to 3.12, pin runner to ubuntu-24.04 - Add pytest --timeout=300, --maxfail=99 (overrides pytest.ini -x), JUnit XML output - Add explicit SSH setup with sshd start and connectivity preflight - Hard-fail FUSE preflight (job stops if /dev/fuse or fusermount3 missing) - Upload test results and meson logs as artifacts - Add dependabot config for weekly action version updates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pin all GitHub Actions to Node 24-capable full commit SHAs (checkout v6.0.2, setup-python v6.2.0, upload-artifact v7.0.1). Add least-privilege permissions (
contents: read), concurrency group with cancel-in-progress, and dependabot config for weekly action updates.Pin runner to
ubuntu-24.04and Python to 3.12 for reproducibility. Add explicit SSH daemon startup with connectivity preflight. Hard-fail FUSE preflight so the job stops immediately if/dev/fuseorfusermount3is missing. Add pytest--timeout=300,--maxfail=99(overrides the-xin pytest.ini so CI collects all failures), and JUnit XML output. Upload test results and meson logs as artifacts.This is the foundation PR — later PRs assume these defaults. Pinning actions to SHAs protects against supply-chain attacks and surprise breakage from upstream tag mutations; Node 24-capable versions avoid the September 2026 Node 20 removal deadline. The strict FUSE preflight prevents CI from going green with silently skipped tests.