CI hardening: drop persisted checkout credential in lint workflow#35
Merged
stevebeattie merged 3 commits intoJun 26, 2026
Merged
Conversation
Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: ref-version-mismatch Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb
Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: artipacked Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb
Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: zizmor-config Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Small GitHub Actions security-hardening changes to
lint.yaml, surfaced by azizmoraudit of.github/. No behavioral change to the lint job.Changes
.github/workflows/lint.yaml— setpersist-credentials: falseon theactions/checkoutstep. The job only runssetup-pythonandpre-commit,with no git writes, so the checkout has no reason to leave the
GITHUB_TOKENin the local git config where later steps could read it. This closes the
artipackedcredential-persistence finding..github/workflows/lint.yaml— normalize the checkout pin's versioncomment from
# ratchet:actions/checkout@v4.2.2to# v4.2.2, matching theplain
# vX.Y.Zconvention used by every other pin in the repo. The SHA isunchanged (it is exactly
v4.2.2); this only tidies the lone non-standardannotation.
.github/zizmor.yml(new) — disable the cosmetic pedantic-persona ruleconcurrency-limits, with the zizmor workflow'spaths:triggers extendedto include the new config so edits to it re-run the check.
Testing
zizmor(whole repo): no findings after the change.actionlint: clean.main; all workflows still parse.Refs: PSEC-923