Skip to content

Harden GitHub actions #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
flavorjones merged 7 commits into from
May 27, 2026
Merged

Harden GitHub actions #424

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
cccfef0
Add GitHub Actions audit job to CI
flavorjones May 27, 2026
c35243b
Configure Dependabot for bundler and github-actions
flavorjones May 27, 2026
ae5250f
Pin GitHub Actions to SHA hashes
flavorjones May 27, 2026
485fa8a
Harden workflow permissions and checkout credentials
flavorjones May 27, 2026
46f2b22
Suppress SC2086 on RubyGems update step
flavorjones May 27, 2026
2779341
Prevent duplicate action runs on pull requests
flavorjones May 27, 2026
5f276ba
Pin actions/checkout consistently
flavorjones May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 2
updates:
- package-ecosystem: bundler
directory: "/"
schedule:
interval: weekly
cooldown:
semver-major-days: 7
semver-minor-days: 3
semver-patch-days: 2
default-days: 7

- package-ecosystem: github-actions
directory: "/"
groups:
github-actions:
patterns:
- "*"
schedule:
interval: weekly
cooldown:
default-days: 7
44 changes: 39 additions & 5 deletions .github/workflows/ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,18 @@
name: CI

on: [ push, pull_request ]
on:
push:
branches: [ master ]
pull_request:
types: [ opened, synchronize ]
Comment thread
flavorjones marked this conversation as resolved.

permissions: {}

jobs:
tests:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
Expand All @@ -25,15 +33,18 @@ jobs:
rubygems_version: '3.6.9'
name: Ruby ${{ matrix.ruby }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
with:
persist-credentials: false
Comment thread
flavorjones marked this conversation as resolved.
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
with:
ruby-version: ${{ matrix.ruby }}
- name: Update RubyGems
env:
RUBYGEMS_VERSION: ${{ matrix.rubygems_version }}
run: |
# shellcheck disable=SC2086 # empty version is intentional: no arg means update to latest
gem update --system ${RUBYGEMS_VERSION:-}
gem -v
- name: Install dependencies
Expand All @@ -44,13 +55,36 @@ jobs:
# rubocop linting
rubocop:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
with:
persist-credentials: false
Comment thread
flavorjones marked this conversation as resolved.
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
with:
ruby-version: 2.7
- name: Install dependencies
run: bundle install --jobs 4 --retry 3
- name: Run rubocop
run: bundle exec rubocop --parallel

lint-actions:
name: GitHub Actions audit
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
Copy link
Copy Markdown

@connorshea connorshea May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason to keep it on 2.7 rather than updating to v6?

Copy link
Copy Markdown
Member Author

@flavorjones flavorjones May 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No reason other than trying to keep it consistent with the previous @v2 tag used everywhere else. Dependabot will update it when it runs and then we should be all up-to-date with a separate PR that updates the versions.

with:
persist-credentials: false

- name: Run actionlint
uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: false
Loading