From 168229c7714e01e7e75036aea71ac1b22d1ad096 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Thu, 25 Jun 2026 17:23:55 -0700 Subject: [PATCH 1/3] fix(ci): add version comment to checkout pin in lint workflow Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: ref-version-mismatch Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index d55bcb6..2de96c2 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -21,7 +21,7 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 # Unroll pre-commit/actions as currently it references actions/cache without a by-digest pin # https://github.com/pre-commit/pre-commit/issues/3672 From 2ed7e1be41ea9b938620c1ccd1a57c8713b11409 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Thu, 25 Jun 2026 17:24:01 -0700 Subject: [PATCH 2/3] fix(ci): set persist-credentials false on checkout in lint workflow Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: artipacked Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb --- .github/workflows/lint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2de96c2..a0bc7cd 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -22,6 +22,8 @@ jobs: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 # Unroll pre-commit/actions as currently it references actions/cache without a by-digest pin # https://github.com/pre-commit/pre-commit/issues/3672 From ba606714f1e4c86197867c9466ec551ca613a6ce Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Thu, 25 Jun 2026 17:24:07 -0700 Subject: [PATCH 3/3] fix(ci): suppress cosmetic concurrency-limits rule via zizmor config Refs: PSEC-923 Generated-By: claude-guard chain b76b1bae11938b020aa6efb7c6301236 Skills-Applied: zizmor-config Skills-Sha: e807467ba50afb365a042ab4ad88b49c0ad4a4644ff06e0396a2116307be8ac3 Image-Sha: sha256:7263f9b592131d79316129974effb2efc6a19a2cfea7c2c4dd445664550901bb --- .github/workflows/zizmor.yaml | 2 ++ .github/zizmor.yml | 5 +++++ 2 files changed, 7 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index ea7a039..4d0ad6a 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -9,11 +9,13 @@ on: paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/zizmor.yml' push: branches: ['main'] paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/zizmor.yml' permissions: {} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..8d11825 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + # Cosmetic pedantic-only finding (zizmor concurrency-limits) — low + # security value; suppressed at the repo level per campaign convention. + concurrency-limits: + disable: true