Skip to content

ci: improve GitHub Actions security#1424

Merged
tongpu merged 1 commit intoadfinis:mainfrom
tongpu:ci/incorporate_zizmore_feedback
Mar 24, 2026
Merged

ci: improve GitHub Actions security#1424
tongpu merged 1 commit intoadfinis:mainfrom
tongpu:ci/incorporate_zizmore_feedback

Conversation

@tongpu
Copy link
Copy Markdown
Member

@tongpu tongpu commented Jul 15, 2025

Description

Incorporate feedback from zizmor to improve the security of the used GitHub Actions.

Issues

Related to #1422, which introduces the zizmor action.

Checklist

  • This PR contains a description of the changes I'm making
  • I updated the version in Chart.yaml
  • I updated the changelog with an artifacthub.io/changes annotation in Chart.yaml, check the example in the documentation.
  • I updated applicable README.md files using pre-commit run
  • I documented any high-level concepts I'm introducing in docs/
  • CI is currently green and this is ready for review
  • I am ready to test changes after they are applied and released

@github-actions github-actions bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 15, 2025
@tongpu tongpu mentioned this pull request Jul 15, 2025
Draft
7 tasks
@hairmare hairmare mentioned this pull request Mar 24, 2026
Merged
7 tasks
hairmare
hairmare reviewed Mar 24, 2026
View reviewed changes
hairmare
hairmare requested changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hairmare hairmare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

afaik job-level permission would be the way to go...

See https://radiorabe.github.io/actions/getting-started/#security for details.

.github/workflows/release.yaml Outdated
Comment on lines +8 to +9
permissions:
pages: write
Copy link
Copy Markdown
Contributor

@hairmare hairmare Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
permissions:
pages: write
permissions: {}

@tongpu tongpu force-pushed the ci/incorporate_zizmore_feedback branch from 43e65ed to efe02d1 Compare March 24, 2026 10:58
@tongpu tongpu marked this pull request as ready for review March 24, 2026 10:58
@tongpu tongpu requested a review from a team as a code owner March 24, 2026 10:58
@tongpu tongpu requested review from ifrido and isantospardo March 24, 2026 10:58
@tongpu tongpu mentioned this pull request Mar 24, 2026
Merged
7 tasks
hairmare
hairmare previously approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hairmare hairmare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT (with an additional rebase, that is)

@tongpu
ci: improve GitHub Actions security
4ad1dd3 
Incorporate feedback from zizmor to improve the security of the used
GitHub Actions
@tongpu tongpu force-pushed the ci/incorporate_zizmore_feedback branch from efe02d1 to 4ad1dd3 Compare March 24, 2026 14:11
@tongpu tongpu enabled auto-merge (squash) March 24, 2026 14:11
@tongpu tongpu requested a review from hairmare March 24, 2026 14:14
@tongpu tongpu merged commit fd062e8 into adfinis:main Mar 24, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hairmare hairmare hairmare approved these changes

@ifrido ifrido Awaiting requested review from ifrido ifrido is a code owner automatically assigned from adfinis/helm-charts

@isantospardo isantospardo Awaiting requested review from isantospardo isantospardo is a code owner automatically assigned from adfinis/helm-charts

Assignees

No one assigned

Labels

size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tongpu @hairmare