Skip to content

ci: Harden GitHub Actions permissions#292

Merged
jbeckwith-oai merged 1 commit into
mainfrom
codex/harden-github-actions
Jul 9, 2026
Merged

ci: Harden GitHub Actions permissions#292
jbeckwith-oai merged 1 commit into
mainfrom
codex/harden-github-actions

Conversation

@jbeckwith-oai

Copy link
Copy Markdown
Contributor

Summary

  • Add fail-closed workflow-level permissions to CI and release workflows.
  • Grant explicit read-only repository access only to jobs that need checkout.
  • Prevent checkout from persisting the default GitHub token into local git config.

Validation

  • Parsed both workflow YAML files with Ruby YAML.load_file.
  • Verified every workflow uses: reference is pinned to a 40-character SHA.

Notes

  • Preserves id-token: write where OIDC is actually used: CI artifact upload and RubyGems trusted publishing.

@jbeckwith-oai jbeckwith-oai marked this pull request as ready for review June 25, 2026 16:11
@jbeckwith-oai jbeckwith-oai requested a review from a team as a code owner June 25, 2026 16:11
@jbeckwith-oai jbeckwith-oai changed the title [codex] Harden GitHub Actions permissions ci: Harden GitHub Actions permissions Jun 25, 2026
@jbeckwith-oai jbeckwith-oai merged commit 0a478dc into main Jul 9, 2026
11 checks passed
@stainless-app stainless-app Bot mentioned this pull request Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants