Comparing 08ba1193dde975b1e1e5b0a4de4d4576be865c5c...24fd00bb53f32b3a2dcbeb00c4737f930e21c0ee · github-community-projects/contributors (original) (raw)

Commits on Mar 14, 2026

  1. fix: tighten workflow permissions, add security hardening, and fix uv…
    … tool invocations (#431)

What

Move elevated permissions from workflow level to job level across three workflows
(mark-ready-when-ready, scorecard, stale) so each job only holds the permissions it
actually needs. Add step-security/harden-runner to all eight workflows that define steps.
Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration
with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8,
pytest, pylint, and mypy via uv run python -m since they lack console script entry
points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597.
## Why
Workflow-level write permissions apply to every job in the workflow, granting broader
access than necessary. Moving them to job level follows the principle of least privilege.
Harden-runner audits outbound network calls from GitHub-hosted runners, improving
supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and
vulnerable-dependency detection. The Makefile commands failed under uv because those
packages don't install console scripts; python -m ensures the tools are always found.
PyJWT <= 2.11.0 doesn't validate the RFC 7515 crit header parameter (CVSS 7.5).
## Notes
- The uv run to uv run python -m change also affects CI since python-ci calls make lint and make test
- release.yml, auto-labeler.yml, and pr-title.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead
- The scorecard workflow previously used permissions: read-all which granted read access to all scopes; now explicitly scoped to only what's needed
- PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior
Signed-off-by: jmeridth jmeridth@gmail.com
* chore: drop autobuild step of codeql from code review
Signed-off-by: jmeridth jmeridth@gmail.com

Signed-off-by: jmeridth jmeridth@gmail.com
@jmeridth
Configuration menu
Browse the repository at this point in the history