From 9127d7660743f9e684aa00e12b8b9a96c3e45c0d Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 3 Jun 2026 22:21:07 +0000 Subject: [PATCH 1/2] Harden GitHub Actions workflows per zizmor findings - Pin all actions to commit SHAs (unpinned-uses) - Add top-level 'permissions: contents: read' to ci.yml (excessive-permissions) - Set 'persist-credentials: false' on remaining checkouts in ci.yml (artipacked) - Fix stale version comments on checkout pins in wheel-builder.yml (SHA df4cb1c0 is v6.0.3, not v4.2.2) https://claude.ai/code/session_0148cM5JsZTs8shcQDfnwxc6 --- .github/workflows/ci.yml | 30 ++++++++++++++++++----------- .github/workflows/lock.yml | 2 +- .github/workflows/wheel-builder.yml | 6 +++--- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7a783a72..042bf615 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: read on: pull_request: {} push: @@ -22,13 +24,15 @@ jobs: - macos-latest name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.MACOS }}" steps: - - uses: actions/checkout@v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - - uses: actions/cache@v5.0.5 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 timeout-minutes: 5 with: path: | @@ -55,14 +59,16 @@ jobs: - {VERSION: "3.14t", NOXSESSION: "tests"} name: "Python ${{ matrix.PYTHON.VERSION }} on ${{ matrix.WINDOWS.WINDOWS }}" steps: - - uses: actions/checkout@v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} - - uses: actions/cache@v5.0.5 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 timeout-minutes: 5 with: path: | @@ -98,13 +104,15 @@ jobs: - {VERSION: "3.13", NOXSESSION: "tests", RUST_VERSION: "nightly"} name: "${{ matrix.PYTHON.VERSION }} on linux, Rust ${{ matrix.PYTHON.RUST_VERSION || 'stable' }}" steps: - - uses: actions/checkout@v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - name: Setup python id: setup-python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} - - uses: actions/cache@v5.0.5 + - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 timeout-minutes: 5 with: path: | @@ -147,7 +155,7 @@ jobs: # is installed in the container (which it is) sed -i "s:ID=alpine:ID=NotpineForGHA:" /etc/os-release if: matrix.IMAGE.IMAGE == 'alpine:aarch64' - - uses: actions/checkout@v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - run: /venv/bin/pip install nox @@ -168,7 +176,7 @@ jobs: - {IMAGE: "ubuntu-rolling:armv7l", NOXSESSION: "tests", RUNNER: "ubuntu-24.04-arm"} name: "${{ matrix.IMAGE.NOXSESSION }} on ${{ matrix.IMAGE.IMAGE }}" steps: - - uses: actions/checkout@v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - run: /venv/bin/pip install nox diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 2f6734a8..58688d63 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -10,7 +10,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v6 + - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v6.0.2 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-inactive-days: 90 diff --git a/.github/workflows/wheel-builder.yml b/.github/workflows/wheel-builder.yml index a2dd37bd..20ab2fa7 100644 --- a/.github/workflows/wheel-builder.yml +++ b/.github/workflows/wheel-builder.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest name: sdists steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -140,7 +140,7 @@ jobs: BIN_PATH: '/Library/Frameworks/PythonT.framework/Versions/3.14/bin/python3.14t' name: "Python ${{ matrix.PYTHON.VERSION }} ${{ matrix.PYTHON.ABI_VERSION }} on macOS" steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # The tag to build or the tag received by the tag event ref: ${{ github.event.inputs.version || github.ref }} @@ -209,7 +209,7 @@ jobs: with: name: bcrypt-sdist - name: Setup python - uses: actions/setup-python@v6.2.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.PYTHON.VERSION }} architecture: ${{ matrix.WINDOWS.ARCH }} From 2f1476c3de73369d34877a3d623727644f769049 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 3 Jun 2026 22:22:24 +0000 Subject: [PATCH 2/2] Add 7-day dependabot cooldown for GitHub Actions updates https://claude.ai/code/session_0148cM5JsZTs8shcQDfnwxc6 --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 33faa14c..c0e9c007 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 open-pull-requests-limit: 1024 - package-ecosystem: cargo directory: "/src/_bcrypt/"