Skip to content

ci: finalize GitHub Actions hardening#155

Merged
seapagan merged 1 commit into
mainfrom
ci/finalize-actions-hardening
Jul 12, 2026
Merged

ci: finalize GitHub Actions hardening#155
seapagan merged 1 commit into
mainfrom
ci/finalize-actions-hardening

Conversation

@seapagan

@seapagan seapagan commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Locks the release matrix to the explicit contents: write permission required to create releases and upload assets.

Removes the completed permission-monitor instrumentation from all workflows, eliminating its GraphQL, Node runtime, and optional-variable warnings. Local and CI zizmor now use the pedantic persona, and the completed security TODOs are removed.

Pedantic zizmor reports no findings, and the Rust formatting, Clippy, and test gates pass.

Summary by CodeRabbit

  • Security

    • Tightened permissions for automated release workflows, granting only the access required to publish releases.
    • Removed redundant token-permission monitoring steps from automated workflows.
  • Quality Assurance

    • Updated workflow security analysis to use a stricter inspection mode.
    • Applied the same stricter checks to local workflow-audit tasks, improving detection of potential configuration issues.
  • Maintenance

    • Removed completed workflow-hardening tasks from the project checklist.

Signed-off-by: Grant Ramsay <seapagan@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63c48eeb-aea5-4267-8c43-58add49d6db0

📥 Commits

Reviewing files that changed from the base of the PR and between 9f67753 and 0b24b85.

📒 Files selected for processing (6)
  • .github/workflows/gh-pages.yml
  • .github/workflows/release.yml
  • .github/workflows/rust.yml
  • .github/workflows/zizmor.yml
  • Makefile.toml
  • TODO.md
💤 Files with no reviewable changes (3)
  • .github/workflows/gh-pages.yml
  • TODO.md
  • .github/workflows/rust.yml

📝 Walkthrough

Walkthrough

GitHub Actions workflows now use scoped release permissions, omit token-permission monitoring steps, and run Zizmor with the pedantic persona. Related TODO entries were removed.

Changes

Workflow security hardening

Layer / File(s) Summary
Scope release workflow permissions
.github/workflows/release.yml
Default permissions are disabled, while the release build retains contents: write; its monitoring step is removed.
Remove permission monitoring steps
.github/workflows/gh-pages.yml, .github/workflows/rust.yml, .github/workflows/zizmor.yml
Permission-monitoring steps are removed from deployment, CI, audit, policy, and Zizmor jobs.
Enable pedantic Zizmor auditing
.github/workflows/zizmor.yml, Makefile.toml, TODO.md
Zizmor uses the pedantic persona in CI and local tasks, and completed TODO entries are deleted.

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

I’m a rabbit who audits the flow,
With pedantic hops in a row.
Tokens are kept tight,
Workflows run light,
And old TODOs quietly go.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main change: finalising GitHub Actions hardening across workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/finalize-actions-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@seapagan seapagan self-assigned this Jul 12, 2026
@seapagan seapagan added the CI GitHub Actions label Jul 12, 2026
@seapagan seapagan marked this pull request as ready for review July 12, 2026 08:23
@seapagan seapagan merged commit 62deb47 into main Jul 12, 2026
8 checks passed
@seapagan seapagan deleted the ci/finalize-actions-hardening branch July 12, 2026 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI GitHub Actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant