Skip to content

Pin CI actions and minimize token permissions#4

Merged
ashishki merged 1 commit into
masterfrom
agent/pin-ci-actions
Jul 13, 2026
Merged

Pin CI actions and minimize token permissions#4
ashishki merged 1 commit into
masterfrom
agent/pin-ci-actions

Conversation

@ashishki

Copy link
Copy Markdown
Owner

Scope

  • pin every GitHub Action in the active CI workflow to a verified 40-character commit
  • grant only read access to repository contents
  • prevent checkout from persisting credentials in both jobs
  • add a regression test for these workflow invariants

No application, database, RLS, eval, threshold, dataset, or evidence behavior changes.

Local verification

  • exact head: 55836e72e367b718c6f45bc12f490f6fa7fcc731
  • CI supply-chain contract: 1 passed
  • Ruff lint/format: passed
  • workflow YAML parse: passed
  • diff check: passed

Draft until exact-head remote CI and independent review pass.

@ashishki ashishki marked this pull request as ready for review July 13, 2026 18:35
@ashishki ashishki merged commit e0ab0b1 into master Jul 13, 2026
3 checks passed
@ashishki ashishki deleted the agent/pin-ci-actions branch July 13, 2026 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant