Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ permissions:
jobs:
ci:
name: CI Pipeline
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
coverage-threshold: 80
Expand Down Expand Up @@ -60,7 +60,7 @@ jobs:
# egress-policy: block -- enabled 2026-05-23 (compliance audit). If a CI run fails on a network call, switch this single occurrence back to audit and capture the missing endpoint in the issue tracker.
egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral)
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to checkout.

Line 63 updates actions/checkout, but the step still persists credentials by default; this leaves the runner git config authenticated longer than needed.

Suggested patch
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “if the PR does touch a workflow that has an actions/checkout step, add persist-credentials: false there to match intended security hardening.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 62-63: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 63, The actions/checkout step at line 63 in
the CI workflow is using the default behavior which persists git credentials in
the runner's config, creating a security risk by leaving the runner
authenticated longer than necessary. Add the `persist-credentials: false`
parameter to the actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 step
to disable credential persistence and match the security hardening requirement.

Sources: Learnings, Linters/SAST tools

- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
name: Upload Coverage
# Only run on successful CI completion
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
artifact-name: 'coverage-reports'
coverage-files: '*.xml'
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,31 +39,31 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true

- name: Install dependencies
run: uv sync --no-dev

- name: Initialize CodeQL
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: python
build-mode: none
queries: security-extended,security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:python"
2 changes: 1 addition & 1 deletion .github/workflows/container-security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ permissions:
jobs:
container-security:
name: Container Security Scan
uses: ByronWilliamsCPA/.github/.github/workflows/python-container-security.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-container-security.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
dockerfile-path: 'Dockerfile'
build-context: '.'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
upload-coverage:
name: Upload Coverage to Qlty
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
coverage-artifact-name: coverage-reports
coverage-file-path: coverage.xml
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden checkout credentials handling.

Line 36 updates checkout but omits persist-credentials: false; keep credentials non-persistent on runner jobs.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “if the PR modifies a workflow checkout step, add persist-credentials: false.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 35-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 36, The checkout action at
the line using `actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` is
missing the security hardening configuration. Add the `persist-credentials:
false` parameter to the checkout step configuration to prevent credentials from
being persisted on the runner. This ensures that runner sessions do not have
access to repository credentials, following security best practices for workflow
jobs.

Sources: Learnings, Linters/SAST tools


- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ permissions:
jobs:
docs:
name: Build & Deploy Docs
uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
# rag-processor uses hatchling as build backend, so editable installs
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/fips-compatibility.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,10 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Apply checkout credential hardening in both jobs.

Lines 64 and 201 update actions/checkout but both steps still omit persist-credentials: false.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: every modified checkout in .github/workflows should explicitly set persist-credentials: false.

Also applies to: 201-201

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 63-64: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/fips-compatibility.yml at line 64, Both `actions/checkout`
calls in the workflow (at lines 64 and 201) are missing the
`persist-credentials: false` credential hardening setting for security best
practices. Add the `persist-credentials: false` parameter to each
`actions/checkout` action step to ensure Git credentials are not persisted in
the workflow environment.

Source: Learnings


- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true

Expand Down Expand Up @@ -198,10 +198,10 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mutation-testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ permissions:
jobs:
mutation:
name: Mutation Testing
uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
source-directory: 'src'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/performance-regression.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set non-persistent credentials on checkout.

Line 62 updates checkout but does not disable credential persistence.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: modified checkout steps in workflow PRs should include persist-credentials: false.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 61-62: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/performance-regression.yml at line 62, The
actions/checkout action on line 62 does not disable credential persistence for
security reasons. Add a `with` section to the checkout step that includes
`persist-credentials: false` to prevent unnecessary credential storage,
following the security best practice for modified checkout steps in workflow
PRs.

Sources: Learnings, Linters/SAST tools


- name: Check for benchmark script
id: check
Expand All @@ -82,7 +82,7 @@ jobs:
name: Performance Regression
needs: check-benchmarks
if: needs.check-benchmarks.outputs.has-benchmarks == 'true'
uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
benchmark-script: 'scripts/benchmark.py'
python-version: '3.12'
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/postman-api-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
timeout-minutes: 15
services:
redis:
image: redis:8-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
image: redis:8-alpine@sha256:9d317178eceac8454a2284a9e6df2466b93c745529947f0cd42a0fa9609d7005
ports:
- 6379:6379
options: >-
Expand All @@ -63,15 +63,15 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add persist-credentials: false for checkout.

Line 66 updates checkout pin but keeps default credential persistence.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: modified checkout steps should explicitly disable credential persistence in this repo’s workflows.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 65-66: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/postman-api-tests.yml at line 66, The checkout action
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 does not
explicitly disable credential persistence. Add `persist-credentials: false` as a
configuration parameter to the checkout step to disable the default credential
persistence behavior and follow the repository's security learnings for workflow
steps.

Source: Learnings


- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"

- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true

Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/pr-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
contents: read
pull-requests: write
checks: write
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
coverage-threshold: 80
Expand All @@ -56,15 +56,15 @@ jobs:
egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral)

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden all modified checkout steps in this workflow.

Lines 59, 102, and 136 all bump actions/checkout without persist-credentials: false.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: checkout hardening must be applied when these workflow files are modified.

Also applies to: 102-102, 136-136

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 58-59: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-validation.yml at line 59, All three instances of the
actions/checkout action on lines 59, 102, and 136 in the workflow file need
security hardening. Add the parameter `persist-credentials: false` to each of
these checkout steps to prevent Git credentials from being persisted in the
runner environment. This should be added as a separate line in the `with:`
section of each `uses: actions/checkout` action to follow security best
practices.

Sources: Learnings, Linters/SAST tools


- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"

- name: Install UV
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: "uv.lock"
Expand Down Expand Up @@ -99,7 +99,7 @@ jobs:
egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral)

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Check documentation links
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
Expand Down Expand Up @@ -133,15 +133,15 @@ jobs:
egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral)

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"

- name: Install UV
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: "uv.lock"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ on:
jobs:
publish:
name: Publish Package
uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
package-name: 'rag-processor'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/python-compatibility.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ permissions:
jobs:
compatibility:
name: Python Compatibility Matrix
uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
# Match pyproject.toml `requires-python = ">=3.11,<3.15"`. Testing 3.10
# would fail on Python-3.11+ features the project actively uses (e.g.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/qlty.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
# Coverage upload: runs after CI workflow completes successfully.
qlty:
if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
permissions:
contents: read
actions: read
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-sign.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
Comment on lines 25 to +26

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout.

Line 26 updates the checkout pin but still leaves credential persistence enabled, which can retain token-backed git auth on the runner. Add explicit hardening on this step.

Suggested fix
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “ensure every actions/checkout step includes persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-sign.yml around lines 25 - 26, The checkout step
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 has credential
persistence enabled by default, which is a security risk as it retains
token-backed git auth on the runner. Add the `persist-credentials: false`
parameter to the checkout action step to explicitly disable credential
persistence and harden the workflow security posture.

Sources: Path instructions, Learnings, Linters/SAST tools


- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
if: >-
github.event_name == 'workflow_dispatch' ||
github.event.workflow_run.conclusion == 'success'
uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
coverage-threshold: 80
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/reuse.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
Comment on lines 30 to +31

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden both checkout steps with persist-credentials: false.

Both updated checkout steps (Line 31 and Line 62) still use default credential persistence. This leaves unnecessary token-backed git config on the runner.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
@@
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “every actions/checkout step should set persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”

Also applies to: 61-62

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 30-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reuse.yml around lines 30 - 31, The checkout steps in the
GitHub Actions workflow use default credential persistence settings, which
leaves unnecessary token-backed git configuration on the runner. Add the input
parameter persist-credentials: false to both instances of the actions/checkout
step (the one currently at line 31 and the other one at line 62) to prevent
credential persistence and harden the workflow security posture.

Sources: Path instructions, Learnings, Linters/SAST tools


- name: REUSE Compliance Check
uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0
Expand Down Expand Up @@ -59,7 +59,7 @@ jobs:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Check primary license exists
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sbom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ env:
jobs:
sbom:
name: SBOM & Security
uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@e070932adbacf11d72cf6fab5962c9398621104c # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
fail-on-vulnerabilities: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ permissions:
jobs:
scorecard:
name: Scorecard Analysis
uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
publish-results: true
upload-sarif: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/security-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ permissions:
jobs:
security:
name: Security Analysis
uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
source-directory: 'src'
python-version: '3.12'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sonarcloud.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ permissions:
jobs:
sonarcloud:
name: SonarCloud Analysis
uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@74c633acfdd5f707ab154fd59bd212c6df663dd6 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml@1502ecdde74ba30e2db1c91778f98b550bcf100e # main
with:
python-version: '3.12'
source-directory: 'src/rag_processor'
Expand Down
Loading