fix(ci): GitHub Actions security hardening#21
Open
stevebeattie wants to merge 4 commits into
Open
Conversation
…flow Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: excessive-permissions Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: artipacked Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: zizmor-config Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
The Action Lint workflow pins its actions to commit SHAs but the repo had no dependabot.yml, so those pins had no automated freshness mechanism. Add weekly github-actions update coverage with a 3-day cooldown, and declare the matching dependabot-cooldown threshold in .github/zizmor.yml. Generated-By: claude-guard
egibs
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR applies GitHub Actions hardening fixes to the Action Lint workflow,
surfaced by static analysis (zizmor).
What this changes
deny-all default with only the permissions the job actually needs.
persist-credentials: falseon checkout — the job doesn't push back, sothe persisted
GITHUB_TOKENis unnecessary.dependabot-cooldownthreshold..github/dependabot.yml). The workflow pins itsactions to commit SHAs but the repo had no dependabot config; adds weekly
github-actionsupdate coverage with a 3-day cooldown.Test plan
zizmor .github/— clean after these changes.actionlint— workflow still parses with no errors.Refs: PSEC-923