Skip to content

Harden dependency and workflow posture#318

Open
langsmith-fleet[bot] wants to merge 1 commit into
mainfrom
langster/harden-dependabot-workflows
Open

Harden dependency and workflow posture#318
langsmith-fleet[bot] wants to merge 1 commit into
mainfrom
langster/harden-dependabot-workflows

Conversation

@langsmith-fleet

Copy link
Copy Markdown
Contributor

Summary

  • Add Dependabot coverage for GitHub Actions and uv dependencies
  • Add CodeQL and zizmor workflows for Python and GitHub Actions security scanning
  • Fix the reusable test workflow so the Python version is explicitly passed from CI
  • Fix the release workflow by removing an invalid needs.release-notes reference
  • Expand .gitignore coverage for common local secret files before committing

Validation

  • git diff --check
  • Parsed updated YAML files with Ruby YAML.load_file
  • Verified .gitignore covers .env, .env.*, *.pem, *.key, *.crt, credentials.json, node_modules/, __pycache__/, and .venv
  • Verified no secret-like files were staged before commit

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

build-mode: none
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ github.sha }}
persist-credentials: false
- uses: actions/setup-python@v6
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v6
Comment thread .github/dependabot.yml
- "*"

# Python / uv
- package-ecosystem: "uv"

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
pip install -e .

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant