fix(ci): GitHub Actions security hardening#26
Merged
stevebeattie merged 5 commits intoJun 30, 2026
Conversation
Refs: PSEC-923 Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2 Skills-Applied: artipacked Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8 Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923 Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2 Skills-Applied: excessive-permissions Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8 Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923 Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2 Skills-Applied: ref-version-mismatch Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8 Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923 Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2 Skills-Applied: zizmor-config Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8 Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
The workflows pin all external actions to commit SHAs but the repo had no dependabot.yml, so those pins had no automated freshness mechanism and were being bumped by hand. Add dependabot coverage for both the github-actions and terraform ecosystems on a weekly schedule with a 3-day cooldown. The matching dependabot-cooldown threshold (days: 3) is declared in .github/zizmor.yml so zizmor treats the configured cooldown as sufficient. Generated-By: claude-guard
egibs
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR applies a set of GitHub Actions hardening fixes to the workflows in
.github/workflows/, surfaced by static analysis (zizmor / actionlint).What this changes
persist-credentials: falseon checkout steps (documentation.yml,main.yml). Neither job pushes back to the repo, so the auto-persistedGITHUB_TOKENis unnecessary; leaving it in the local git config widens theblast radius of any later step. Explicitly opting out drops the credential
from
.git/config.documentation.yml).Adds a top-level
permissions: {}(deny-all default) and grants thedocsjob only
contents: read, which is all it needs to clone and render docs.hashicorp/setup-terraform(main.yml).The pinned SHA's trailing comment read
# 3.0.0; aligned it to the tag form# v3.0.0so the pin and its human-readable annotation agree..github/zizmor.yml). Adds a small config thatdisables three pedantic, cosmetic-only rules (
anonymous-definition,undocumented-permissions,concurrency-limits) so future scans stay focusedon substantive findings. The existing
zizmor.yamlworkflow'spaths:triggeris extended to include this new file so config changes re-run the scan.
.github/dependabot.yml). The workflows pin everyexternal action to a commit SHA, but the repo had no dependabot config, so the
pins had no automated freshness mechanism and were being bumped by hand. Adds
weekly
github-actionsandterraformupdate coverage with a 3-day cooldown.The matching
dependabot-cooldownthreshold is declared in.github/zizmor.yml.Test plan
zizmor .github/— clean after these changes (the cosmetic rules above aresuppressed via the committed config).
actionlint— workflows still parse with no errors.terraform fmt -check/ validate behavior is unchanged (only checkout andpermissions metadata were touched, not the lint steps).
An independent review of the change set found no blocking issues.
Refs: PSEC-923