ci: secure GitHub Actions workflows#1302
Merged
Merged
Conversation
- Pin all GHA actions to SHA with version comments (38 actions) - Pin codecov/codecov-action to SHA (was unpinned @v6) - Pin musllinux container image to SHA digest (was :latest) - Add zizmor pre-commit hook with pedantic persona - Add .github/zizmor.yaml config (ignore copilot-setup-steps concurrency) - Add concurrency group to cd.yml - Add name: labels to dist, deploy, and pass jobs - Add explanatory comments to cd.yml deploy permissions - Add permissions: {} to nightlies.yml workflow and job levels - Add persist-credentials: false to nightlies.yml checkout - Freeze all pre-commit hooks to SHA via prek auto-update - Update dependabot.yml: monthly schedule, github-actions group name, add pre-commit ecosystem, add 7-day cooldowns - Add uv exclude-newer = "7 days" cooldown to pyproject.toml - Update mypy python_version from 3.9 to 3.10 (required by mypy 2.1.0) - Fix mypy PackageMetadata.get error in test file Assisted-by: OpenCode:glm-5
henryiii
commented
May 20, 2026
henryiii
commented
May 20, 2026
henryiii
commented
May 20, 2026
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
LecrisUT
approved these changes
May 21, 2026
Collaborator
LecrisUT
left a comment
LecrisUT
left a comment
There was a problem hiding this comment.
Looks good other than the CI failures
henryiii
commented
May 22, 2026
Signed-off-by: Henry Schreiner <henryfs@princeton.edu>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Used my secure-ci skill, and tweaked a bit.
🤖 Human guided, AI assisted PR (using this skill). AI text below. 🤖
Summary
Secures GitHub Actions workflows following zizmor pedantic audit and best practices.
Changes
actions-upcodecov/codecov-actionto SHAe79a6962e0d4c0c17b229090214935d2e33f8354(was unpinned@v6)musllinuxcontainer image to SHA digest (was:latest)--persona=pedantic.github/zizmor.yamlconfig to ignore copilot-setup-steps concurrency (special file per zizmor docs)cd.ymlname:labels todist,deploy(cd.yml) andpass(ci.yml) jobscd.ymldeploy job permissions (id-token: write,attestations: write)permissions: {}tonightlies.ymlat workflow level andcontents: readat job levelpersist-credentials: falseto checkout in nightlies.ymlprek auto-update --freeze --cooldown-days 7dependabot.yml: monthly schedule, renamed group togithub-actions, addedpre-commitecosystem, added 7-day cooldownsexclude-newer = "7 days"to[tool.uv]in pyproject.tomlpython_versionfrom3.9to3.10(required by mypy 2.1.0)PackageMetadata.geterror in test fileAssisted-by: OpenCode:glm-5