From 824e50080189c05f6c3e0c1aedc1af52fba71985 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 22:11:34 -0700 Subject: [PATCH 1/4] fix(ci): add explicit least-privilege permissions to Action Lint workflow Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: excessive-permissions Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/workflows/actionlint.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index a676ce0..d3d5054 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -7,11 +7,15 @@ on: pull_request: branches: [ 'main', 'release-*' ] +permissions: {} + jobs: action-lint: name: Action lint runs-on: ubuntu-latest + permissions: + contents: read # actions/checkout + action-actionlint read the tree steps: - name: Harden Runner From d718eb4c9e1a2fdf6b09cf8576f266b238303ed8 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 22:11:38 -0700 Subject: [PATCH 2/4] fix(ci): set persist-credentials false on checkout in Action Lint Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: artipacked Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/workflows/actionlint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index d3d5054..3c8507f 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -25,6 +25,8 @@ jobs: - name: Check out code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false - name: Find yamls id: get_yamls From a96bb6d0f3faa033a827e2c1e8995e7229d6fae5 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 22:11:42 -0700 Subject: [PATCH 3/4] fix(ci): add zizmor config disabling cosmetic pedantic rules Refs: PSEC-923 Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3 Skills-Applied: zizmor-config Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/zizmor.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..34af0dc --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + # Cosmetic pedantic-only findings — suppressed per the campaign + # zizmor-config recipe. concurrency-limits fired against this repo's + # Action Lint workflow (docs.zizmor.sh/audits/#concurrency-limits); + # anonymous-definition is disabled as a standing campaign convention. + anonymous-definition: + disable: true + concurrency-limits: + disable: true From 5d6affca0e64df8161b3d77c9910ebe1a2b6487d Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 22:11:46 -0700 Subject: [PATCH 4/4] fix(ci): add dependabot coverage for github-actions The Action Lint workflow pins its actions to commit SHAs but the repo had no dependabot.yml, so those pins had no automated freshness mechanism. Add weekly github-actions update coverage with a 3-day cooldown, and declare the matching dependabot-cooldown threshold in .github/zizmor.yml. Generated-By: claude-guard --- .github/dependabot.yml | 10 ++++++++++ .github/zizmor.yml | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5e2d436 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +# See GitHub's documentation for more information on this file: +# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 3 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 34af0dc..bfab275 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,4 +1,7 @@ rules: + dependabot-cooldown: + config: + days: 3 # Cosmetic pedantic-only findings — suppressed per the campaign # zizmor-config recipe. concurrency-limits fired against this repo's # Action Lint workflow (docs.zizmor.sh/audits/#concurrency-limits);