Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address zizmor findings and lock all dependencies #245

Merged
merged 1 commit into from
Feb 9, 2025
Merged

Address zizmor findings and lock all dependencies #245

merged 1 commit into from
Feb 9, 2025

Conversation

lopopolo
Copy link
Member

@lopopolo lopopolo commented Feb 9, 2025

  • Lock all GitHub Actions by SHA, even GitHub and Artichoke owned ones.
  • Lock yamllint with uv.
  • Install python with uv in CI.
  • Switch to using locked hadolint action rather than latest docker container.
  • Drop elevated GitHub Actions permissions for all workflows.
  • Do not persist git credentials on checkout.
  • Disable caching in nightly release build and publish workflow to defend against cache poisoning attacks.
  • Add yamllint step to Rakefile.

@lopopolo
Address zizmor findings and lock all dependencies
ce0b763 
- Lock all GitHub Actions by SHA, even  GitHub and Artichoke owned ones.
- Lock yamllint with uv.
- Install python with uv in CI.
- Switch to using locked hadolint action rather than latest docker
  container.
- Drop elevated GitHub Actions permissions for all workflows.
- Do not persist git credentials on checkout.
- Disable caching in nightly release build and publish workflow to
  defend against cache poisoning attacks.
- Add yamllint step to Rakefile.
@lopopolo lopopolo added A-build Area: CI build infrastructure. A-deps Area: Source and library dependencies. A-security Area: Security vulnerabilities and unsoundness issues. labels Feb 9, 2025
@lopopolo lopopolo merged commit 050eff8 into trunk Feb 9, 2025
15 checks passed
@lopopolo lopopolo deleted the dev/lopopolo-zizmor branch February 9, 2025 02:03
@lopopolo lopopolo mentioned this pull request Feb 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-build Area: CI build infrastructure. A-deps Area: Source and library dependencies. A-security Area: Security vulnerabilities and unsoundness issues.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lopopolo