docs: Improve the security of the example actions config in the README.#414
Merged
Conversation
17476c0 to
37c473c
Compare
- Recommend using SHA hashes for action versions - Update the example workflow to use latest versions of the actions. - Disable the bundler-cache in the example release workflow to avoid any chance of cache poisoning attacks. - Bump Ruby to latest 4.x - Ensure that the `on: push` trigger only triggers on tags, to avoid accidentally pushing a gem on every push to any branch in the repository. This resolves various zizmor warnings that otherwise occur when using this example config, and so will hopefully make new gem release workflows more secure by default.
Still don't cache them as that opens us up to cache poisoning, but do install them.
hsbt
added a commit
to connorshea/configure-rubygems-credentials
that referenced
this pull request
Jun 15, 2026
check-dist.yml ignores '**.md', so a docs-only PR never triggers it and the required `check-dist` status stays pending forever (e.g. rubygems#414). This companion runs on the complementary '**.md' path filter with a job named `check-dist`, reporting that required context as success. When a PR touches both .md and non-.md files, the real check-dist and this companion both produce a `check-dist` run. That is fine: GitHub fails the required context if any run fails, so the real check-dist stays authoritative. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the configuration example in the README with various security improvements:
on: pushtrigger only triggers on tags, to avoid accidentally pushing a gem on every push to any branch in the repository.This resolves various zizmor warnings that would otherwise occur when using this example config, and will hopefully make new gem release workflows more secure by default.