Skip to content

ci: harden GitHub Actions workflows #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
flavorjones merged 5 commits into from
Mar 20, 2026
Merged

ci: harden GitHub Actions workflows #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
77d726a
Pin actions to SHA hashes with pinact
flavorjones Mar 20, 2026
f5b2911
Fix artipacked: add persist-credentials: false to checkout steps
flavorjones Mar 20, 2026
daed2f6
Fix actionlint: suppress SC2016 false positive for markdown backticks
flavorjones Mar 20, 2026
651ad4c
Add CI workflow with GitHub Actions audit (actionlint + zizmor)
flavorjones Mar 20, 2026
bf2bbba
Configure dependabot for github-actions with weekly batched updates
flavorjones Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
groups:
github-actions:
patterns:
- "*"
schedule:
interval: weekly
cooldown:
default-days: 7
4 changes: 3 additions & 1 deletion .github/workflows/ai-breaking-change.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ jobs:
breaking: ${{ steps.parse.outputs.breaking }}
items: ${{ steps.parse.outputs.items }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Filter diff
id: filter
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/ai-classify-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ jobs:
outputs:
label: ${{ steps.validate.outputs.label }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Build prompt
env:
Expand Down
26 changes: 26 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: CI

on:
push:
branches: [main]
pull_request:

jobs:
lint-actions:
name: GitHub Actions audit
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run actionlint
uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: false
1 change: 1 addition & 0 deletions .github/workflows/sensitive-change-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ jobs:
FOOTER='> **Shadow mode** — this check is informational only. When activated, changes to these paths will require approval from a maintainer.'
else
HEADER="Sensitive Change Detection"
# shellcheck disable=SC2016
FOOTER='> Changes to control-plane files require approval from a maintainer. Add the `sensitive-change-approved` label to proceed.'
fi

Expand Down
Loading