Skip to content

CI: harden actions #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Wenzel merged 3 commits into from
Jan 16, 2026
Merged

CI: harden actions #263

Wenzel merged 3 commits into from
Jan 16, 2026
+46 −1

Conversation

@Wenzel
Copy link
Contributor

@Wenzel Wenzel commented Jan 15, 2026

No description provided.

@Wenzel Wenzel requested a review from Copilot January 15, 2026 10:38
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens GitHub Actions workflows by adding security configurations and rate limiting. The changes disable credential persistence in checkout actions across all workflows and introduce cooldown periods for Dependabot updates.

Changes:

  • Added persist-credentials: false to all actions/checkout steps to prevent credential leakage
  • Configured 7-day cooldown periods for all Dependabot package ecosystem updates
  • Pinned actions/setup-python to a specific commit hash in the CI workflow

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/scans.yml Added persist-credentials: false to 6 checkout action instances
.github/workflows/docs.yml Added persist-credentials: false to checkout action
.github/workflows/dependency-review.yml Added persist-credentials: false to checkout action
.github/workflows/codeql.yml Added persist-credentials: false to checkout action
.github/workflows/ci.yml Added persist-credentials: false to 9 checkout action instances and pinned setup-python version
.github/dependabot.yml Added 7-day cooldown configuration to all 11 package ecosystem update schedules

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Wenzel Wenzel force-pushed the ci/harden_actions branch from 0b09575 to 4ceb856 Compare January 16, 2026 14:23
@Wenzel Wenzel force-pushed the ci/harden_actions branch from 4ceb856 to 14524cd Compare January 16, 2026 17:30
@Wenzel Wenzel merged commit c140cec into intel:main Jan 16, 2026
22 checks passed
@Wenzel Wenzel deleted the ci/harden_actions branch January 16, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Wenzel