Skip to content

feat(security): improve GHA security#270

Merged
jfagoagas merged 7 commits intomainfrom
improve-actions-security
Mar 24, 2026
Merged

feat(security): improve GHA security#270
jfagoagas merged 7 commits intomainfrom
improve-actions-security

Conversation

@jfagoagas
Copy link
Copy Markdown
Member

@jfagoagas jfagoagas commented Mar 23, 2026

Description

Improve GHA security also adding zizmor pre-commit and workflow.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Copilot AI review requested due to automatic review settings March 23, 2026 15:56
@jfagoagas jfagoagas requested a review from a team as a code owner March 23, 2026 15:56
@github-advanced-security
Copy link
Copy Markdown
Contributor

github-advanced-security bot commented Mar 23, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 23, 2026
View reviewed changes
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves GitHub Actions security posture by adding zizmor-based workflow scanning and tightening authentication/permissions in existing CI and release workflows.

Changes:

  • Add zizmor as a pre-commit hook to locally scan GitHub Actions workflows.
  • Introduce a dedicated zizmor GitHub Actions workflow for workflow security analysis.
  • Harden existing workflows by disabling persisted checkout credentials and switching PyPI publishing to OIDC via pypa/gh-action-pypi-publish.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.pre-commit-config.yaml Adds a zizmor pre-commit hook for local GitHub Actions workflow security scanning.
.github/workflows/zizmor.yml New workflow to run zizmor against workflow files with restricted permissions.
.github/workflows/pypi-release.yml Hardens release job permissions and switches PyPI publish to OIDC-based action.
.github/workflows/pull-request.yml Disables persisted checkout credentials to reduce token exposure risk.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 23, 2026
View reviewed changes
.github/workflows/pypi-release.yml Outdated
run: |
poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
poetry publish
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4

Check notice

Code scanning / zizmor

action has a known vulnerability

action has a known vulnerability
@andoniaf
fix(security): split zizmor job for PR and push events
7bd31a8 
Avoid requesting security-events: write on pull_request trigger,
which fails for fork PRs. PR runs use annotations instead of SARIF.
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.02%. Comparing base (90dfbe6) to head (f49bd59).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #270   +/-   ##
=======================================
  Coverage   97.02%   97.02%           
=======================================
  Files          64       64           
  Lines        1043     1043           
=======================================
  Hits         1012     1012           
  Misses         31       31

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@andoniaf
fix(security): update pypa/gh-action-pypi-publish to v1.13.0
e315c6c 
Fixes mismatched SHA pin and addresses critical vulnerability
GHSA-vxmw-7h4f-hqxh in v1.12.4.
@jfagoagas jfagoagas merged commit 3853467 into main Mar 24, 2026
11 checks passed
@jfagoagas jfagoagas deleted the improve-actions-security branch March 24, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@josema-xyz josema-xyz josema-xyz approved these changes

@cesararroba cesararroba cesararroba approved these changes

@danibarranqueroo danibarranqueroo danibarranqueroo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@jfagoagas @codecov-commenter @josema-xyz @cesararroba @danibarranqueroo @andoniaf