-
-
Notifications
You must be signed in to change notification settings - Fork 0
chore(deps): Update GitHub Actions #78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -33,7 +33,7 @@ jobs: | |||||||||||
| egress-policy: audit | ||||||||||||
|
|
||||||||||||
| - name: Checkout repository | ||||||||||||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Harden checkout credentials handling. Line 36 updates checkout but omits Suggested patch - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “if the PR modifies a workflow checkout step, add 📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 35-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSources: Learnings, Linters/SAST tools |
||||||||||||
|
|
||||||||||||
| - name: Dependency Review | ||||||||||||
| uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 | ||||||||||||
|
|
||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -61,10 +61,10 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Apply checkout credential hardening in both jobs. Lines 64 and 201 update Suggested patch - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: every modified checkout in Also applies to: 201-201 🧰 Tools🪛 zizmor (1.26.1)[warning] 63-64: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Learnings |
||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | ||
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||
| with: | ||
| enable-cache: true | ||
|
|
||
|
|
@@ -198,10 +198,10 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | ||
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||
| with: | ||
| enable-cache: true | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -59,7 +59,7 @@ jobs: | |||||||||||
| egress-policy: audit | ||||||||||||
|
|
||||||||||||
| - name: Checkout repository | ||||||||||||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Set non-persistent credentials on checkout. Line 62 updates checkout but does not disable credential persistence. Suggested patch - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: modified checkout steps in workflow PRs should include 📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 61-62: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSources: Learnings, Linters/SAST tools |
||||||||||||
|
|
||||||||||||
| - name: Check for benchmark script | ||||||||||||
| id: check | ||||||||||||
|
|
@@ -82,7 +82,7 @@ jobs: | |||||||||||
| name: Performance Regression | ||||||||||||
| needs: check-benchmarks | ||||||||||||
| if: needs.check-benchmarks.outputs.has-benchmarks == 'true' | ||||||||||||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main | ||||||||||||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main | ||||||||||||
| with: | ||||||||||||
| benchmark-script: 'scripts/benchmark.py' | ||||||||||||
| python-version: '3.12' | ||||||||||||
|
|
||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -38,7 +38,7 @@ jobs: | |||||||||
| timeout-minutes: 15 | ||||||||||
| services: | ||||||||||
| redis: | ||||||||||
| image: redis:8-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1 | ||||||||||
| image: redis:8-alpine@sha256:9d317178eceac8454a2284a9e6df2466b93c745529947f0cd42a0fa9609d7005 | ||||||||||
| ports: | ||||||||||
| - 6379:6379 | ||||||||||
| options: >- | ||||||||||
|
|
@@ -63,15 +63,15 @@ jobs: | |||||||||
| egress-policy: audit | ||||||||||
|
|
||||||||||
| - name: Checkout repository | ||||||||||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Add Line 66 updates checkout pin but keeps default credential persistence. Suggested patch - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: modified checkout steps should explicitly disable credential persistence in this repo’s workflows. 📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 65-66: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSource: Learnings |
||||||||||
|
|
||||||||||
| - name: Set up Python | ||||||||||
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||||||||||
| uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 | ||||||||||
| with: | ||||||||||
| python-version: "3.12" | ||||||||||
|
|
||||||||||
| - name: Install uv | ||||||||||
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | ||||||||||
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||||||||||
| with: | ||||||||||
| enable-cache: true | ||||||||||
|
|
||||||||||
|
|
||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,7 @@ jobs: | |
| contents: read | ||
| pull-requests: write | ||
| checks: write | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main | ||
| with: | ||
| python-version: '3.12' | ||
| coverage-threshold: 80 | ||
|
|
@@ -56,15 +56,15 @@ jobs: | |
| egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Harden all modified checkout steps in this workflow. Lines 59, 102, and 136 all bump Suggested patch - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
...
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: checkout hardening must be applied when these workflow files are modified. Also applies to: 102-102, 136-136 🧰 Tools🪛 zizmor (1.26.1)[warning] 58-59: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSources: Learnings, Linters/SAST tools |
||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||
| uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 | ||
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - name: Install UV | ||
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | ||
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||
| with: | ||
| enable-cache: true | ||
| cache-dependency-glob: "uv.lock" | ||
|
|
@@ -99,7 +99,7 @@ jobs: | |
| egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Check documentation links | ||
| uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 | ||
|
|
@@ -133,15 +133,15 @@ jobs: | |
| egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral) | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||
| uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 | ||
| with: | ||
| python-version: "3.12" | ||
|
|
||
| - name: Install UV | ||
| uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 | ||
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||
| with: | ||
| enable-cache: true | ||
| cache-dependency-glob: "uv.lock" | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -23,7 +23,7 @@ jobs: | |||||||||||||||
| egress-policy: audit | ||||||||||||||||
|
|
||||||||||||||||
| - name: Checkout | ||||||||||||||||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||||||||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||||||||||||
|
Comment on lines
25
to
+26
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Set Line 26 updates the checkout pin but still leaves credential persistence enabled, which can retain token-backed git auth on the runner. Add explicit hardening on this step. Suggested fix - name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “ensure every 📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.26.1)[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSources: Path instructions, Learnings, Linters/SAST tools |
||||||||||||||||
|
|
||||||||||||||||
| - name: Install cosign | ||||||||||||||||
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | ||||||||||||||||
|
|
||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,7 +28,7 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
Comment on lines
30
to
+31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Harden both checkout steps with Both updated checkout steps (Line 31 and Line 62) still use default credential persistence. This leaves unnecessary token-backed git config on the runner. Suggested fix - name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: false
@@
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+ with:
+ persist-credentials: falseBased on learnings: “every Also applies to: 61-62 🧰 Tools🪛 zizmor (1.26.1)[warning] 30-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI AgentsSources: Path instructions, Learnings, Linters/SAST tools |
||
|
|
||
| - name: REUSE Compliance Check | ||
| uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 | ||
|
|
@@ -59,7 +59,7 @@ jobs: | |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
|
||
| - name: Check primary license exists | ||
| run: | | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add
persist-credentials: falseto checkout.Line 63 updates
actions/checkout, but the step still persists credentials by default; this leaves the runner git config authenticated longer than needed.Suggested patch
- name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: falseBased on learnings: “if the PR does touch a workflow that has an
actions/checkoutstep, addpersist-credentials: falsethere to match intended security hardening.”📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 62-63: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Sources: Learnings, Linters/SAST tools