ci: finalize GitHub Actions hardening#155
Conversation
Signed-off-by: Grant Ramsay <seapagan@gmail.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
💤 Files with no reviewable changes (3)
📝 WalkthroughWalkthroughGitHub Actions workflows now use scoped release permissions, omit token-permission monitoring steps, and run Zizmor with the ChangesWorkflow security hardening
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
Locks the release matrix to the explicit contents: write permission required to create releases and upload assets.
Removes the completed permission-monitor instrumentation from all workflows, eliminating its GraphQL, Node runtime, and optional-variable warnings. Local and CI zizmor now use the pedantic persona, and the completed security TODOs are removed.
Pedantic zizmor reports no findings, and the Rust formatting, Clippy, and test gates pass.
Summary by CodeRabbit
Security
Quality Assurance
Maintenance