Skip to content

chore: GH Actions hardening — pin actions to SHA, add permissions and timeouts#204

Merged
dielduarte merged 2 commits into
mainfrom
feature/dev-663-resend-python-gh-actions-hardening-1-high-1-med-2-low
May 12, 2026
Merged

chore: GH Actions hardening — pin actions to SHA, add permissions and timeouts#204
dielduarte merged 2 commits into
mainfrom
feature/dev-663-resend-python-gh-actions-hardening-1-high-1-med-2-low

Conversation

@dielduarte
Copy link
Copy Markdown
Contributor

@dielduarte dielduarte commented May 12, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Hardens GitHub Actions by pinning actions/checkout, actions/setup-python, and codecov/codecov-action to commit SHAs, adding top‑level permissions: { contents: read }, and setting CI job timeouts (Lint/Mypy 10m, Tests 15m). Addresses Linear DEV-663 (HIGH: pin actions; MED: add permissions; LOW: add missing timeouts).

Written for commit 79a6307. Summary will update on new commits.

cubic-dev-ai[bot]
cubic-dev-ai Bot approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Linked issue analysis

Linked issue: DEV-663: [resend-python] GH Actions hardening — 1 HIGH / 1 MED / 2 LOW

Status Acceptance criteria Notes
Pin codecov/codecov-action@v6 to a commit SHA Diff replaces uses: codecov/codecov-action@v6 with a pinned commit SHA and keeps the v6 comment.
Add top-level permissions Diff adds a top-level permissions block granting contents: read.
Add timeout-minutes to jobs that were missing them (two jobs) Diff adds timeout-minutes to the lint-mypy job and to the tests job (values 10 and 15 respectively).

Auto-approved: These changes harden the CI workflow by adding read-only permissions, job timeouts, and pinning an action to a commit SHA—all security and reliability best practices with no impact on application logic or data.

cubic-dev-ai[bot]
cubic-dev-ai Bot approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Auto-approved: These GitHub Actions hardening changes (pinning actions to commit SHAs, adding read-only permissions, and setting timeouts) are low-risk, do not alter any business logic, and improve security and reliability without affecting the application code.

@dielduarte dielduarte merged commit 2bbd4d2 into main May 12, 2026
20 checks passed
@dielduarte dielduarte deleted the feature/dev-663-resend-python-gh-actions-hardening-1-high-1-med-2-low branch May 12, 2026 18:11
@drish drish mentioned this pull request May 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felipefreitag felipefreitag felipefreitag approved these changes

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dielduarte @felipefreitag