You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Automated GitHub Actions security hardening (zizmor + actionlint +
shellcheck,
plus manual review). Workflow-config only — no application code is
touched.
## Changes
- **Scope down checkout credentials** — `persist-credentials: false` on
the
build checkout. The job (setup-go, golangci-lint, make) does no
downstream
git writes, so leaving the checkout token in `.git/config` is
unnecessary
exposure.
- **Replace workflow-level `read-all` with least privilege** — the
blanket
`read-all` permission becomes `permissions: {}` at the workflow level,
with
the specific scopes granted on the job that needs them (the SARIF upload
path
is preserved).
- **Add a zizmor config + dependabot cooldown** — a `.github/zizmor.yml`
disabling a few cosmetic pedantic rules, plus a 3-day cooldown on each
dependabot ecosystem so brand-new (and potentially compromised)
dependency
releases aren't pulled the instant they ship.
Refs: PSEC-923
0 commit comments