Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

CI: Harden GHA configuration#308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
dstansby merged 5 commits intomatplotlib:mainfromtacaswell:harden_gha
Jul 20, 2025
Merged

Conversation

@tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

This eliminates the possibility of a tag being changed underus.
This eliminates the possibility of a tag being changed underus.
May include:- Avoids risky string interpolation.- Prevents checkout premissions from leaking
Reduces risk of arbitrary code is run by attacker.
@tacaswell
Copy link
MemberAuthor

Seematplotlib/matplotlib#30045 but precommit.ci has been disabled at the org level, not sure what else needs to be done to get rid of the check.

@samcunliffe
Copy link
Collaborator

precommit.ci has been disabled at the org level, not sure what else needs to be done to get rid of the check

Looks like that worked!pre-commit.ci is one of our required checks, and it hasn't run. So@dstansby (or anyone else with access to repo settings) we just need to switch to requiring the GHA "precommit" added here.

Screenshot 2025-07-19 at 11 11 07

👍Dependabot will send update PRs updating the SHAs.

@samcunliffesamcunliffe added MaintenanceNot related to the development of new features dependenciesPull requests that update a dependency file github actionsPull requests that update GitHub Actions code labelsJul 19, 2025
@dstansby
Copy link
Member

Thanks for this - I have removed pre-commit.ci as a required build, but for this PR will just bypass the rules and merge instead of trying to remvoe pre-commit.ci as a required check.

@dstansbydstansby merged commit64edb23 intomatplotlib:mainJul 20, 2025
13 checks passed
@tacaswelltacaswell deleted the harden_gha branchJuly 21, 2025 15:05
@tacaswelltacaswell restored the harden_gha branchSeptember 15, 2025 14:54
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@samcunliffesamcunliffesamcunliffe approved these changes

Assignees

No one assigned

Labels

dependenciesPull requests that update a dependency filegithub actionsPull requests that update GitHub Actions codeMaintenanceNot related to the development of new features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tacaswell@samcunliffe@dstansby
[8]ページ先頭
©2009-2025 Movatter.jp