chore(deps): Update GitHub Actions#78
Conversation
WalkthroughPinned SHA references updated across 21 GitHub Actions workflow files: ChangesCI Dependency Pin Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency ReviewThe following issues were found:
License Issues.github/workflows/coverage.yml
.github/workflows/performance-regression.yml
.github/workflows/qlty.yml
.github/workflows/scorecard.yml
.github/workflows/sonarcloud.yml
OpenSSF Scorecard
Scanned Files
|
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions and org-level reusable workflow pins across this repository’s CI/security/docs pipelines to pick up patch-level fixes and security updates while preserving existing workflow behavior.
Changes:
- Bump
actions/checkoutfromv6.0.2tov6.0.3(SHA-pinned) wherever it’s used directly. - Bump
github/codeql-actionfromv4.36.0tov4.36.1(SHA-pinned) in the CodeQL workflow. - Update callers of
ByronWilliamsCPA/.githubreusable workflows to the latest pinned digest.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sonarcloud.yml | Updates org reusable SonarCloud workflow digest pin. |
| .github/workflows/security-analysis.yml | Updates org reusable security-analysis workflow digest pin. |
| .github/workflows/scorecard.yml | Updates org reusable scorecard workflow digest pin. |
| .github/workflows/sbom.yml | Updates org reusable SBOM workflow digest pin. |
| .github/workflows/reuse.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned) for REUSE checks. |
| .github/workflows/release.yml | Updates org reusable release workflow digest pin. |
| .github/workflows/release-sign.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned) for signing workflow. |
| .github/workflows/qlty.yml | Updates org reusable Qlty coverage workflow digest pin. |
| .github/workflows/python-compatibility.yml | Updates org reusable compatibility workflow digest pin. |
| .github/workflows/publish-pypi.yml | Updates org reusable PyPI publish workflow digest pin. |
| .github/workflows/pr-validation.yml | Updates org reusable CI workflow digest pin; bumps actions/checkout to v6.0.3 (SHA-pinned) in additional jobs. |
| .github/workflows/postman-api-tests.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned). |
| .github/workflows/performance-regression.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned) and updates org reusable perf workflow digest pin. |
| .github/workflows/mutation-testing.yml | Updates org reusable mutation testing workflow digest pin. |
| .github/workflows/fips-compatibility.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned) in FIPS jobs. |
| .github/workflows/docs.yml | Updates org reusable docs workflow digest pin. |
| .github/workflows/dependency-review.yml | Bumps actions/checkout to v6.0.3 (SHA-pinned). |
| .github/workflows/coverage.yml | Updates org reusable Qlty coverage workflow digest pin. |
| .github/workflows/container-security.yml | Updates org reusable container security workflow digest pin. |
| .github/workflows/codeql.yml | Bumps actions/checkout to v6.0.3 and github/codeql-action to v4.36.1 (both SHA-pinned). |
| .github/workflows/codecov.yml | Updates org reusable Codecov workflow digest pin. |
| .github/workflows/ci.yml | Updates org reusable CI workflow digest pin; bumps actions/checkout to v6.0.3 (SHA-pinned). |
2370c17 to
b2b7ac8
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
b2b7ac8 to
cc8a6cc
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
cc8a6cc to
566de1e
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
566de1e to
3733bba
Compare
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
3733bba to
f206cc8
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
f206cc8 to
a911d9d
Compare
🎉 Performance Regression CheckStatus: PERFORMANCE IMPROVED
Threshold: +/-10% allowed regression ✅ Great work!: Performance has improved. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
a911d9d to
19f938e
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
19f938e to
900c818
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
900c818 to
425aa68
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
c2b1ec7 to
19c063e
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
19c063e to
eea33c4
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 63: The actions/checkout step at line 63 in the CI workflow is using the
default behavior which persists git credentials in the runner's config, creating
a security risk by leaving the runner authenticated longer than necessary. Add
the `persist-credentials: false` parameter to the
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 step to disable
credential persistence and match the security hardening requirement.
In @.github/workflows/dependency-review.yml:
- Line 36: The checkout action at the line using
`actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` is missing the
security hardening configuration. Add the `persist-credentials: false` parameter
to the checkout step configuration to prevent credentials from being persisted
on the runner. This ensures that runner sessions do not have access to
repository credentials, following security best practices for workflow jobs.
In @.github/workflows/fips-compatibility.yml:
- Line 64: Both `actions/checkout` calls in the workflow (at lines 64 and 201)
are missing the `persist-credentials: false` credential hardening setting for
security best practices. Add the `persist-credentials: false` parameter to each
`actions/checkout` action step to ensure Git credentials are not persisted in
the workflow environment.
In @.github/workflows/performance-regression.yml:
- Line 62: The actions/checkout action on line 62 does not disable credential
persistence for security reasons. Add a `with` section to the checkout step that
includes `persist-credentials: false` to prevent unnecessary credential storage,
following the security best practice for modified checkout steps in workflow
PRs.
In @.github/workflows/postman-api-tests.yml:
- Line 66: The checkout action using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 does not explicitly
disable credential persistence. Add `persist-credentials: false` as a
configuration parameter to the checkout step to disable the default credential
persistence behavior and follow the repository's security learnings for workflow
steps.
In @.github/workflows/pr-validation.yml:
- Line 59: All three instances of the actions/checkout action on lines 59, 102,
and 136 in the workflow file need security hardening. Add the parameter
`persist-credentials: false` to each of these checkout steps to prevent Git
credentials from being persisted in the runner environment. This should be added
as a separate line in the `with:` section of each `uses: actions/checkout`
action to follow security best practices.
In @.github/workflows/release-sign.yml:
- Around line 25-26: The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 has credential
persistence enabled by default, which is a security risk as it retains
token-backed git auth on the runner. Add the `persist-credentials: false`
parameter to the checkout action step to explicitly disable credential
persistence and harden the workflow security posture.
In @.github/workflows/reuse.yml:
- Around line 30-31: The checkout steps in the GitHub Actions workflow use
default credential persistence settings, which leaves unnecessary token-backed
git configuration on the runner. Add the input parameter persist-credentials:
false to both instances of the actions/checkout step (the one currently at line
31 and the other one at line 62) to prevent credential persistence and harden
the workflow security posture.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 22303863-9418-43d8-afb9-1b98cc3455e2
📒 Files selected for processing (22)
.github/workflows/ci.yml.github/workflows/codecov.yml.github/workflows/codeql.yml.github/workflows/container-security.yml.github/workflows/coverage.yml.github/workflows/dependency-review.yml.github/workflows/docs.yml.github/workflows/fips-compatibility.yml.github/workflows/mutation-testing.yml.github/workflows/performance-regression.yml.github/workflows/postman-api-tests.yml.github/workflows/pr-validation.yml.github/workflows/publish-pypi.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/release-sign.yml.github/workflows/release.yml.github/workflows/reuse.yml.github/workflows/sbom.yml.github/workflows/scorecard.yml.github/workflows/security-analysis.yml.github/workflows/sonarcloud.yml
| egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) | ||
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add persist-credentials: false to checkout.
Line 63 updates actions/checkout, but the step still persists credentials by default; this leaves the runner git config authenticated longer than needed.
Suggested patch
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “if the PR does touch a workflow that has an actions/checkout step, add persist-credentials: false there to match intended security hardening.”
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 62-63: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 63, The actions/checkout step at line 63 in
the CI workflow is using the default behavior which persists git credentials in
the runner's config, creating a security risk by leaving the runner
authenticated longer than necessary. Add the `persist-credentials: false`
parameter to the actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 step
to disable credential persistence and match the security hardening requirement.
Sources: Learnings, Linters/SAST tools
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Harden checkout credentials handling.
Line 36 updates checkout but omits persist-credentials: false; keep credentials non-persistent on runner jobs.
Suggested patch
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “if the PR modifies a workflow checkout step, add persist-credentials: false.”
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 35-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependency-review.yml at line 36, The checkout action at
the line using `actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` is
missing the security hardening configuration. Add the `persist-credentials:
false` parameter to the checkout step configuration to prevent credentials from
being persisted on the runner. This ensures that runner sessions do not have
access to repository credentials, following security best practices for workflow
jobs.
Sources: Learnings, Linters/SAST tools
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Apply checkout credential hardening in both jobs.
Lines 64 and 201 update actions/checkout but both steps still omit persist-credentials: false.
Suggested patch
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: every modified checkout in .github/workflows should explicitly set persist-credentials: false.
Also applies to: 201-201
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 63-64: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/fips-compatibility.yml at line 64, Both `actions/checkout`
calls in the workflow (at lines 64 and 201) are missing the
`persist-credentials: false` credential hardening setting for security best
practices. Add the `persist-credentials: false` parameter to each
`actions/checkout` action step to ensure Git credentials are not persisted in
the workflow environment.
Source: Learnings
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set non-persistent credentials on checkout.
Line 62 updates checkout but does not disable credential persistence.
Suggested patch
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: modified checkout steps in workflow PRs should include persist-credentials: false.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 61-62: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/performance-regression.yml at line 62, The
actions/checkout action on line 62 does not disable credential persistence for
security reasons. Add a `with` section to the checkout step that includes
`persist-credentials: false` to prevent unnecessary credential storage,
following the security best practice for modified checkout steps in workflow
PRs.
Sources: Learnings, Linters/SAST tools
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add persist-credentials: false for checkout.
Line 66 updates checkout pin but keeps default credential persistence.
Suggested patch
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: modified checkout steps should explicitly disable credential persistence in this repo’s workflows.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 65-66: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/postman-api-tests.yml at line 66, The checkout action
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 does not
explicitly disable credential persistence. Add `persist-credentials: false` as a
configuration parameter to the checkout step to disable the default credential
persistence behavior and follow the repository's security learnings for workflow
steps.
Source: Learnings
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Harden all modified checkout steps in this workflow.
Lines 59, 102, and 136 all bump actions/checkout without persist-credentials: false.
Suggested patch
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: checkout hardening must be applied when these workflow files are modified.
Also applies to: 102-102, 136-136
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 58-59: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-validation.yml at line 59, All three instances of the
actions/checkout action on lines 59, 102, and 136 in the workflow file need
security hardening. Add the parameter `persist-credentials: false` to each of
these checkout steps to prevent Git credentials from being persisted in the
runner environment. This should be added as a separate line in the `with:`
section of each `uses: actions/checkout` action to follow security best
practices.
Sources: Learnings, Linters/SAST tools
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set persist-credentials: false on checkout.
Line 26 updates the checkout pin but still leaves credential persistence enabled, which can retain token-backed git auth on the runner. Add explicit hardening on this step.
Suggested fix
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “ensure every actions/checkout step includes persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-sign.yml around lines 25 - 26, The checkout step
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 has credential
persistence enabled by default, which is a security risk as it retains
token-backed git auth on the runner. Add the `persist-credentials: false`
parameter to the checkout action step to explicitly disable credential
persistence and harden the workflow security posture.
Sources: Path instructions, Learnings, Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Harden both checkout steps with persist-credentials: false.
Both updated checkout steps (Line 31 and Line 62) still use default credential persistence. This leaves unnecessary token-backed git config on the runner.
Suggested fix
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
@@
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “every actions/checkout step should set persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”
Also applies to: 61-62
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 30-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/reuse.yml around lines 30 - 31, The checkout steps in the
GitHub Actions workflow use default credential persistence settings, which
leaves unnecessary token-backed git configuration on the runner. Add the input
parameter persist-credentials: false to both instances of the actions/checkout
step (the one currently at line 31 and the other one at line 62) to prevent
credential persistence and harden the workflow security posture.
Sources: Path instructions, Learnings, Linters/SAST tools
eea33c4 to
087092b
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
087092b to
7959092
Compare
❌ Performance Regression CheckStatus: REGRESSION DETECTED
Threshold: +/-10% allowed regression Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
7959092 to
2d346e2
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
2d346e2 to
5659a25
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
5659a25 to
80a6865
Compare
🎉 Performance Regression CheckStatus: PERFORMANCE IMPROVED
Threshold: +/-10% allowed regression ✅ Great work!: Performance has improved. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
80a6865 to
2fe8eb4
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
2fe8eb4 to
acc6334
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
acc6334 to
8d805e7
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
8d805e7 to
fc572b3
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
fc572b3 to
02edd6e
Compare
✅ Performance Regression CheckStatus: PERFORMANCE OK
Threshold: +/-10% allowed regression ✅ Performance is within acceptable range. Additional Metrics
About Performance Regression TestingThis automated check compares
To reproduce locally: uv run --frozen python scripts/benchmark.py --iterations 1000 |
|



Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
74c633a→1502ecdv6.0.2→v6.0.3v6.2.0→v6.3.0v8.1.0→v8.2.0v4.36.0→v4.36.20916059→9d31717Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Impact
Acceptance Criteria
Testing
Notes
Release Notes
actions/checkout (actions/checkout)
v6.0.3Compare Source
actions/setup-python (actions/setup-python)
v6.3.0Compare Source
What's Changed
Enhancement
Dependency update
Documentation
New Contributors
Full Changelog: actions/setup-python@v6...v6.3.0
astral-sh/setup-uv (astral-sh/setup-uv)
v8.2.0: 🌈 New inputsquietanddownload-from-astral-mirrorCompare Source
Changes
This release brings two new inputs and a few bug fixes.
New inputs
Lets talk about the new inputs first.
quiet
Pretty simple. It turns of all
infologgings. Useful if you use this in a composite action and are not interested in all the details.In the upcoming releases we will add log groups to fully implement support for "less noise"
download-from-astral-mirror
In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting
download-from-astral-mirror: falseallows you to do that.Bugfixes
When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.
We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.
🐛 Bug fixes
🚀 Enhancements
download-from-astral-mirrorinput @eifinger (#897)🧰 Maintenance
⬆️ Dependency updates
github/codeql-action (github/codeql-action)
v4.36.2Compare Source
v4.36.1Compare Source
No user facing changes.
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.