Skip to content

ci: pin actions workflow step hashes and use minimum permissions#2246

Merged
zimeg merged 2 commits intomainfrom
ci-audit
May 21, 2025
Merged

ci: pin actions workflow step hashes and use minimum permissions#2246
zimeg merged 2 commits intomainfrom
ci-audit

Conversation

@zimeg
Copy link
Copy Markdown
Member

@zimeg zimeg commented May 20, 2025

Summary

This PR uses the wonderful zizmor tool to audit our own workflows and pinact for pinned versioning 👾

Reviewers

A similar audit can be performed with the zizmor tool:

$ zizmor .
...
No findings to report. Good job! (3 suppressed)

The suppressed findings are expected permission blocks at the top-level of a workflow, but we set this for each job.

Requirements

@zimeg zimeg self-assigned this May 20, 2025
@zimeg zimeg added security dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 20, 2025
@codecov
Copy link
Copy Markdown

codecov Bot commented May 20, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.67%. Comparing base (96d53df) to head (7afbfd0).

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2246   +/-   ##
=======================================
  Coverage   92.67%   92.67%           
=======================================
  Files          38       38           
  Lines       10554    10554           
  Branches      682      682           
=======================================
  Hits         9781     9781           
  Misses        761      761           
  Partials       12       12
Flag Coverage Δ
cli-hooks 95.23% <ø> (ø)
cli-test 94.76% <ø> (ø)
oauth 77.39% <ø> (ø)
socket-mode 61.82% <ø> (ø)
web-api 97.95% <ø> (ø)
webhook 96.65% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zimeg
Copy link
Copy Markdown
Member Author

zimeg commented May 21, 2025

@WilliamBergamin Thanks for reviewing these changes once more 👾 ✨

I am going to merge this PR and check out a few unrelated dependencies that might also need updating elsewhere 🙏

@zimeg zimeg merged commit d0e1009 into main May 21, 2025
55 checks passed
@zimeg zimeg deleted the ci-audit branch May 21, 2025 00:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WilliamBergamin WilliamBergamin WilliamBergamin approved these changes

@hello-ashleyintech hello-ashleyintech Awaiting requested review from hello-ashleyintech

Assignees

@zimeg zimeg

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zimeg @WilliamBergamin