Skip to content

ci: harden workflows with least-privilege permissions, CodeQL, and actionlint#13

Merged
muralx merged 1 commit into
mainfrom
ci/workflow-hardening
Jun 17, 2026
Merged

ci: harden workflows with least-privilege permissions, CodeQL, and actionlint#13
muralx merged 1 commit into
mainfrom
ci/workflow-hardening

Conversation

@muralx

@muralx muralx commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Tighten the CI/CD supply chain to close OpenSSF Scorecard gaps.

Changes

  • Least-privilege permissions — set a top-level permissions: contents: read on the backport-fixes, ci, cut-release, dependency-review, publish-pypi, and release workflows; jobs re-grant only the write scopes they need.
  • CodeQL SAST — new codeql.yml running the security-extended query suite over the Python sources on pushes, pull requests, and a weekly schedule. The analyze job is gated on public-repo visibility, since SARIF upload to code scanning requires a public repo (and this keeps private forks from failing).
  • Workflow linting — new workflows-lint.yml running actionlint on changes under .github/workflows/**. The actionlint installer is fetched by commit SHA and sha256-verified before it runs (closes Scorecard's "downloadThenRun not pinned by hash" gap), and shellcheck is wired in explicitly.
  • publish-pypi artifact check — replace the fragile grep-based artifact version check with a compgen -G glob match, so version verification no longer depends on regex-escaping the version string.

Validation

  • actionlint passes on all workflows.

@muralx
ci: harden workflows with least-privilege permissions, CodeQL, and ac…
603a42e 
…tionlint

Tighten the CI/CD supply chain to close OpenSSF Scorecard gaps:

- Set a least-privilege top-level `permissions: contents: read` on the
  backport-fixes, ci, cut-release, dependency-review, publish-pypi, and
  release workflows; jobs re-grant only the write scopes they need.
- Add a CodeQL workflow running the security-extended query suite on the
  Python sources (SAST) for pushes, pull requests, and a weekly schedule.
  The analyze job is gated on public-repo visibility, since SARIF upload
  to code scanning requires public repos.
- Add an actionlint workflow that lints `.github/workflows/**` at PR time.
  The actionlint installer is fetched by commit SHA and sha256-verified
  before it runs, and shellcheck is wired in explicitly.
- Replace the fragile `grep`-based artifact version check in publish-pypi
  with a `compgen -G` glob match so version verification no longer depends
  on regex-escaping the version string.
@muralx muralx requested a review from a team as a code owner June 16, 2026 23:21
@github-advanced-security

github-advanced-security AI commented Jun 16, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@muralx muralx merged commit 3bf50ed into main Jun 17, 2026
14 checks passed
@muralx muralx deleted the ci/workflow-hardening branch June 17, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RobertoIskandarani RobertoIskandarani RobertoIskandarani approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@muralx @github-advanced-security @RobertoIskandarani