Harden GitHub actions#424
Merged
Merged
Conversation
Runs actionlint and zizmor on workflow files. Placed after the rubocop lint job since it is a linting concern. 🤖 Assisted by Claude
Batches all github-actions updates into a single weekly PR. Adds cooldown windows to both ecosystems so updates soak before landing; github-actions matches the 7-day pinact --min-age. 🤖 Assisted by Claude
Ran `pinact run --min-age 7` to pin all actions to commit SHAs with version comments. Matches the 7-day cooldown in dependabot.yml. 🤖 Assisted by Claude
Resolves zizmor medium findings:
- excessive-permissions: deny-all permissions: {} at workflow level,
scope contents: read per job
- artipacked: persist-credentials: false on checkout in test/lint jobs
(neither pushes to git)
🤖 Assisted by Claude
actionlint/shellcheck flags the unquoted ${RUBYGEMS_VERSION:-}, but the
unquoted expansion is intentional: when the version is unset the arg
must vanish so `gem update --system` picks the latest. Quoting would
pass an empty version string instead. Suppress with a reason.
🤖 Assisted by Claude
flavorjones
force-pushed
the
harden-github-actions
branch
from
0370953 to
2779341
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions setup by pinning actions to SHAs, tightening workflow permissions, and adding automated linting/auditing to prevent future regressions.
Changes:
- Tightens workflow triggers/permissions and disables credential persistence on checkouts.
- Pins referenced actions to commit SHAs and documents versions inline.
- Adds a
lint-actionsjob (actionlint + zizmor) and introduces a Dependabot configuration for Bundler and GitHub Actions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/ruby.yml |
Restricts triggers, locks down permissions, pins actions by SHA, and adds a new CI job to lint/audit workflows. |
.github/dependabot.yml |
Adds weekly Dependabot updates for Bundler and GitHub Actions with cooldown settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
connorshea
reviewed
May 27, 2026
| contents: read | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 |
There was a problem hiding this comment.
any reason to keep it on 2.7 rather than updating to v6?
Contributor
Author
There was a problem hiding this comment.
No reason other than trying to keep it consistent with the previous @v2 tag used everywhere else. Dependabot will update it when it runs and then we should be all up-to-date with a separate PR that updates the versions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Using zizmor, pinact, and actionlint to harden the github actions configuration.
pinactand a minimum age of 7 days)gem update --systemcommandlint-actionsCI job runningzizmorandactionlintto prevent regresssionsdependabotconfig for bundler and actions (weekly, 7-day cooldown)cc @jasnow @connorshea @simi