Skip to content

[ci] remove codecov, enforce zizmor checks#266

Merged
jameslamb merged 6 commits into
mainfrom
misc-security-fixes
Apr 14, 2026
Merged

[ci] remove codecov, enforce zizmor checks#266
jameslamb merged 6 commits into
mainfrom
misc-security-fixes

Conversation

@jameslamb

@jameslamb jameslamb commented Apr 7, 2026

Copy link
Copy Markdown
Collaborator

Proposes a batch of security fixes:

  • removes codecov (I'll click the buttons to revoke the app's access once this is merged)
  • enforces zizmor checks

Notes for Reviewers

I also made some manual changes at https://github.com/uptake/uptasticsearch/settings/actions

  • only allow third-party actions matching an allowlist in the repo's settings
  • default all workflow permissions to read-only
  • require approval for CI to run for first-time contributors

@jameslamb jameslamb added the maintenance miscellaneous maintenance label Apr 7, 2026
@jameslamb

jameslamb commented Apr 7, 2026

Copy link
Copy Markdown
Collaborator Author

Ok other than the known issue from #265 , this is working.

@jameslamb jameslamb marked this pull request as ready for review April 7, 2026 03:49
@jameslamb jameslamb requested a review from austin3dickey as a code owner April 7, 2026 03:49
austin3dickey
austin3dickey approved these changes Apr 13, 2026
View reviewed changes

@austin3dickey austin3dickey left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome, thank you! TIL zizmor

Comment thread .github/workflows/ci.yml
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
- name: set up R
uses: r-lib/actions/setup-r@v2
uses: &setup_r r-lib/actions/setup-r@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4

@austin3dickey austin3dickey Apr 13, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oooh this is a great idea! I'll probably steal this for other workflows!

@jameslamb jameslamb Apr 14, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's pretty nice! New as of last Fall: https://github.blog/changelog/2025-09-18-actions-yaml-anchors-and-non-public-workflow-templates/

@jameslamb

jameslamb commented Apr 14, 2026

Copy link
Copy Markdown
Collaborator Author

TIL zizmor

Thanks for looking, yeah it's great!

It's taught me new things about how GitHub Actions works and it's really well-done. I want to use it in every repo I use GitHub Actions in.

@jameslamb jameslamb merged commit 12ca139 into main Apr 14, 2026
13 of 15 checks passed
@jameslamb jameslamb deleted the misc-security-fixes branch April 14, 2026 02:15
@jameslamb

jameslamb commented Apr 14, 2026

Copy link
Copy Markdown
Collaborator Author

Looks like I don't have permissions to deactivate the project at https://app.codecov.io/gh/uptake/uptasticsearch

But that's ok... it isn't installed as a GitHub App on the repo. So I think this is done.

Goodbye codecov, it was real while it lasted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@austin3dickey austin3dickey austin3dickey approved these changes

Assignees

No one assigned

Labels

maintenance miscellaneous maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jameslamb @austin3dickey