[SECURITY] Harden GitHub workflows#294
Merged
John McCall (lowlydba) merged 3 commits intomainfrom Apr 9, 2026
Merged
Conversation
Signed-off-by: John McCall <[email protected]>
John McCall (lowlydba)
temporarily deployed
to
staging
GitHub Actions
Inactive
🗺️ Overture Maps Explorer preview is live!
Note ♻️ This preview updates automatically with each push to this PR. |
Pin GitHub Action usages to specific SHAs for reproducible builds and upgrade several actions across deploy-gh-pages.yml and deploy-staging.yml. Move sensitive permissions (pages/id-token/pull-requests) from repo-level to the specific jobs that need them and add per-job contents: read to limit scopes. Add concurrency for staging, and standardize PR URL handling by introducing PR_NUMBER env var used in S3 paths and CloudFront invalidations. These changes improve security, reliability, and clarity of the CI/CD workflows. Signed-off-by: John McCall <[email protected]>
John McCall (lowlydba)
temporarily deployed
to
staging
GitHub Actions
Inactive
Update .github/workflows/deploy-gh-pages.yml and deploy-staging.yml to expand top-level comments with trigger and job overviews (production: push to main; staging: PRs targeting main) and add run-name entries (Publish prod site / Publish staging site). These edits improve clarity and documentation only—no functional workflow steps were changed. Signed-off-by: John McCall <[email protected]>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens the repo’s GitHub Actions workflows in response to zizmor findings by tightening permissions and pinning third-party actions, aiming to establish a secure-by-default baseline for CI/CD.
Changes:
- Pinned GitHub Actions to full-length commit SHAs and disabled
persist-credentialson checkout. - Scoped
permissionsdown to job-level where possible and added PR-level concurrency control for staging deploys. - Added Dependabot cooldown settings for GitHub Actions updates.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/deploy-staging.yml |
Pins actions, scopes permissions per job, adds concurrency, and reduces credential persistence for staging deploys. |
.github/workflows/deploy-gh-pages.yml |
Pins actions and moves Pages/OIDC permissions to the deploy job for production Pages deployments. |
.github/dependabot.yml |
Adds a Dependabot cooldown window for GitHub Actions dependency updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Alex Iannicelli (atiannicelli)
approved these changes
Apr 9, 2026
John McCall (lowlydba)
deleted the
306-devops-create-omf-ruleset-for-all-public-repos
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Harden GitHub workflows against findings from zizmor static analysis.
Once fixed, the new OMF Security Checks workflow will be required for PRs here, keeping a stable baseline of GH Actions secure-by-default.