Skip to content

GitHub Actions Update #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
coliff wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GitHub Actions Update #333

coliff wants to merge 2 commits into from

Conversation

@coliff
Copy link
Member

@coliff coliff commented Nov 14, 2025

This pull request makes several improvements to the project's GitHub Actions workflows, focusing on enhanced security, up-to-date dependencies, and improved supply chain analysis. The main changes include updating action versions to specific commit SHAs for better security, adding a new workflow for OSSF Scorecard analysis, and making minor configuration improvements across workflows.

Security and Dependency Updates:

  • Updated all occurrences of actions/checkout, actions/setup-node, and other major GitHub Actions to reference specific commit SHAs instead of floating version tags, improving supply chain security and build reproducibility. (.github/workflows/build.yml, .github/workflows/codeql-analysis.yml, .github/workflows/dependency-review.yml, .github/workflows/npm-publish.yml, .github/workflows/super-linter.yml, .github/workflows/test.yml) [1] [2] [3] [4] [5] [6] [7]

  • Set persist-credentials: false for all actions/checkout steps to reduce the risk of leaking repository credentials in workflow runs. [1] [2] [3] [4] [5] [6] [7]

Supply Chain Security:

  • Added a new .github/workflows/ossf-scorecard.yml workflow to automatically run OSSF Scorecard supply chain security analysis on the repository, with results uploaded as SARIF files and published to GitHub code scanning.

Linter and Quality Tooling:

  • Upgraded super-linter to a specific commit SHA, and disabled Biome and other unneeded validators for more focused linting.

Workflow File Improvements:

  • Renamed .github/workflows/npmpublish.yml to .github/workflows/npm-publish.yml for consistency and clarity. [1] [2]

@coliff coliff added the github_actions Pull requests that update Github_actions code label Nov 14, 2025
@coliff coliff requested a review from Copilot November 14, 2025 14:33
Copilot AI reviewed Nov 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request enhances GitHub Actions workflows with improved security practices and supply chain analysis capabilities. The main focus is on pinning action versions to specific commit SHAs and adding credential protection across all workflows.

  • Updated all GitHub Actions references to use commit SHAs instead of version tags for better supply chain security
  • Added persist-credentials: false to all checkout steps to prevent credential leakage
  • Introduced OSSF Scorecard workflow for automated supply chain security analysis

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/test.yml Updated checkout and setup-node actions to pinned SHA versions
.github/workflows/super-linter.yml Pinned actions to SHAs, added persist-credentials, disabled Biome validators
.github/workflows/ossf-scorecard.yml New workflow for OSSF Scorecard supply-chain security analysis
.github/workflows/npm-publish.yml Pinned actions to SHAs and added persist-credentials for both build and publish jobs
.github/workflows/dependency-review.yml Updated actions to SHA pins and added persist-credentials
.github/workflows/codeql-analysis.yml Upgraded CodeQL actions to v4 with SHA pinning and added persist-credentials
.github/workflows/build.yml Pinned actions to SHAs and added persist-credentials

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coliff
GitHub Actions Update
a389000 
- Use Pinned SHA1 for improved security
- Update super-linter.yml
- Add OSSF Scorecard

Update GitHub Actions workflow formatting and linter config

Standardized YAML formatting in ossf-scorecard workflow and adjusted the order and inclusion of linter validation variables in super-linter.yml, including the addition of VALIDATE_GITHUB_ACTIONS_ZIZMOR.

Co-Authored-By: Copilot <175728472+Copilot@users.noreply.github.com>
@coliff coliff force-pushed the dev/cliff/github-actions-update branch from 47b76a0 to a389000 Compare November 14, 2025 14:43
@coliff coliff requested a review from roblarsen November 14, 2025 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@roblarsen roblarsen Awaiting requested review from roblarsen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@coliff