trailofbits · dguido · Jan 9, 2026 · Dec 1, 2025
@@ -5,3 +5,9 @@ updates:
     directory: /
     schedule:
       interval: daily
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
@@ -13,19 +13,24 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   claude:
+    name: Run Claude Code
     if: |
       (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
       (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-      id-token: write
+      contents: read  # Required to checkout the repository
+      pull-requests: read  # Required to read PR comments and details
+      issues: read  # Required to read issue comments and details
+      id-token: write  # Required for OIDC token exchange with Anthropic
     steps:
       - name: Checkout repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -35,7 +40,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@beta
+        uses: anthropics/claude-code-action@a7e4c51380c42dd89b127f5e5f9be7b54020bc6b # v1.0.21
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 

@@ -9,8 +9,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   lint-python:
+    name: Lint Python with Ruff and mypy
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -42,6 +47,7 @@ jobs:
         continue-on-error: true  # TODO: Remove once type annotations are fixed
 
   all-lints-pass:
+    name: All lints pass
     if: always()
     permissions:
       contents: read

@@ -11,8 +11,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   pip-audit:
+    name: Scan dependencies with pip-audit
     runs-on: ubuntu-latest
     permissions:
       contents: read

@@ -7,8 +7,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   build-release:
+    name: Build release artifacts
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -36,6 +41,7 @@ jobs:
           path: dist/
 
   publish:
+    name: Publish to PyPI
     runs-on: ubuntu-latest
     environment: release
     permissions:

@@ -12,8 +12,13 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
+    name: Test Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -33,7 +38,9 @@ jobs:
           cache-dependency-glob: "uv.lock"
 
       - name: Set up Python ${{ matrix.python-version }}
-        run: uv python install ${{ matrix.python-version }}
+        env:
+          PYTHON_VERSION: ${{ matrix.python-version }}
+        run: uv python install -- "$PYTHON_VERSION"
 
       - name: Install dependencies
         run: uv sync --extra test
@@ -45,6 +52,7 @@ jobs:
         run: uv run coverage report
 
   all-tests-pass:
+    name: All tests pass
     if: always()
     permissions:
       contents: read