Merged
Conversation
- Fix bot-conditions in dependabot-auto-merge.yml: use verified github.event.pull_request.user.login instead of spoofable github.actor - Suppress dangerous-triggers in ai-labeler.yml, labeler.yml, and sensitive-change-gate.yml: pull_request_target is required for write access to PRs from forks; none of these workflows check out or execute PR code - Suppress cache-poisoning in release.yml: GitHub Actions caches are branch-isolated so fork PRs cannot write to the cache used by tag-push workflows
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e-env
- security.yml: set permissions: {} at workflow level and scope per job
- test.yml: suppress secrets-outside-env for skill-eval job (fork PRs
don't receive secrets so untrusted code can't access the key;
environment protection would block PR-triggered runs)
Increase default-days to 10 for all ecosystem entries to give a 10-day waiting period after version publication before dependabot proposes it.
Add lint-actions job near the existing lint job in test.yml, running actionlint and zizmor to keep GitHub Actions workflows audited in CI.
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
This PR hardens the repository’s GitHub Actions CI/CD surface by pinning action references, tightening checkout credentials, adding workflow auditing, and reducing default token permissions (partially) to address zizmor findings.
Changes:
- Pin more GitHub Actions uses to SHAs (with version comments) and set
persist-credentials: falseon checkouts. - Add CI auditing in
test.ymlviaactionlint+zizmor. - Shift
security.ymlto workflow-levelpermissions: {}with explicit per-job permissions; update Dependabot cooldown and auto-merge gating.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/test.yml |
Pins actions, disables persisted checkout credentials across jobs, adds lint-actions job to run actionlint and zizmor. |
.github/workflows/sensitive-change-gate.yml |
Documents/acknowledges pull_request_target risk with a zizmor ignore rationale. |
.github/workflows/security.yml |
Sets workflow permissions to {} and grants least-privilege per job; pins actions and disables persisted checkout credentials. |
.github/workflows/scorecard.yml |
Pins checkout and SARIF upload action; keeps Scorecard job permissions configuration. |
.github/workflows/release.yml |
Pins actions, disables persisted checkout credentials, and adds zizmor ignore annotations for cache-poisoning findings. |
.github/workflows/labeler.yml |
Adds zizmor ignore rationale for pull_request_target usage. |
.github/workflows/dependabot-auto-merge.yml |
Tightens gating condition to ensure the PR author is Dependabot; pins metadata action. |
.github/workflows/ai-labeler.yml |
Adds zizmor ignore rationale for pull_request_target usage. |
.github/dependabot.yml |
Increases default Dependabot cooldown to 10 days for configured ecosystems. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace overly broad workflow-level permissions blocks with `permissions: {}`
and move permissions to per-job scope, following least-privilege principle.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:311
- The
actions/create-github-app-tokenstep insync-skillsis pinned to the same SHA as the earliersdk-tokenstep (commented asv3.0.0), but here the version comment still says# v2. This is misleading for audits/updates; please align the version comment with the actual release for that SHA (or update the SHA/comment pair consistently).
persist-credentials: false
- name: Generate token for skills repo
id: skills-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…d local workflow lint - Dependabot auto-merge: require both github.actor and user.login checks to prevent human-triggered events from re-entering the approve/merge path - test.yml: deny-all at workflow level, explicit contents:read per job (consistent with the pattern established in all other workflow files) - Makefile: add lint-actions target (actionlint + zizmor) wired into check, fail hard when tools are missing with cross-platform install hints - make tools: install actionlint via go install, zizmor via brew/pacman - bin/setup: full tool provisioning including workflow linters
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jeremy
reviewed
Mar 20, 2026
| auto-merge: | ||
| runs-on: ubuntu-latest | ||
| if: github.actor == 'dependabot[bot]' | ||
| if: github.event.pull_request.user.login == 'dependabot[bot]' |
Member
There was a problem hiding this comment.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: {}at workflow levelTest plan
zizmor .Summary by cubic
Hardened GitHub Actions by pinning actions to SHAs, enforcing deny-all with per-job least-privilege, and adding workflow linting. Also fixed shell quoting to eliminate SC2086 issues and corrected version comments on pinned actions.
Refactors
permissions: {}at workflow level and granted per-job minimal permissions (e.g.,labeler,dependabot-auto-merge,security).persist-credentials: falseto allactions/checkoutsteps.pull_request_targetand cache exceptions withzizmorsuppressions; no PR code is checked out or executed in those jobs.actionlintandzizmoron workflows.github.event.pull_request.user.login == 'dependabot[bot]'.Dependencies
actions/checkoutv6.0.2,github/codeql-actionv4.32.6,golangci/golangci-lint-actionv9.2.0,dependabot/fetch-metadatav2.5.0,actions/create-github-app-tokenv3.0.0).Written for commit 69207e2. Summary will update on new commits.