Skip to content

chore(ci): apply security fixes, add zizmor workflow #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 1, 2025
Merged

chore(ci): apply security fixes, add zizmor workflow #716

merged 5 commits into from
Aug 1, 2025

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Jul 31, 2025
edited
Loading

90% of this is from --fix=unsafe, with the rest
being being my manual fixups.

In addition to the fixes themselves, I've done the following:

  • I added a new top-level workflow that will flag any additional findings in the future (both inline in PRs and also in GitHub's "advanced security" integration). That latter one might need to be disabled though if the org doesn't have it enabled, though.
  • I added GitHub Actions to the Dependabot config, and also enabled cooldown everywhere to make it a bit harder for us to introduce newly broken or compromised deps. It's not perfect, but it's better than realtime consumption given that we're already on a monthly deps schedule 🙂

Signed-off-by: William Woodruff [email protected]

woodruffw added 3 commits July 31, 2025 14:21
@woodruffw
chore(ci): apply security fixes, add zizmor workflow
61e3fba 
90% of this is from `--fix=unsafe`, with the rest
being being my manual fixups.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
dependabot: keep github-actions updated
d72512a 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
add cooldowns to dependabot
2d4fc52 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from geofft July 31, 2025 18:28
@github-advanced-security
Copy link

github-advanced-security bot commented Jul 31, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

zanieb
zanieb reviewed Jul 31, 2025
View reviewed changes
@woodruffw
fewer cutesy emojis
15dbd3b 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw marked this pull request as ready for review July 31, 2025 20:25
@woodruffw woodruffw merged commit 98ed871 into main Aug 1, 2025
439 checks passed
@woodruffw woodruffw deleted the ww/ci-fixes branch August 1, 2025 14:25
@zanieb zanieb mentioned this pull request Aug 7, 2025
Merged
zanieb added a commit that referenced this pull request Aug 7, 2025
@zanieb
Fix label subsetting (#731)
4cfefb5 
Regressed in #716
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

@geofft geofft Awaiting requested review from geofft

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @zanieb