Skip to content

ci: apply zizmor recommendations#932

Open
flakey5 wants to merge 4 commits into
mainfrom
flakey5/20260514/ci
Open

ci: apply zizmor recommendations#932
flakey5 wants to merge 4 commits into
mainfrom
flakey5/20260514/ci

Conversation

@flakey5
Copy link
Copy Markdown
Member

@flakey5 flakey5 commented May 14, 2026

No description provided.

@flakey5
ci: apply zizmor recommendations
1fba7f5 
Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com>
@flakey5 flakey5 requested a review from a team as a code owner May 14, 2026 22:55
@cursor
Copy link
Copy Markdown

cursor Bot commented May 14, 2026
edited
Loading

PR Summary

Medium Risk
Changes GitHub Actions permissions/checkout credential handling across CI and deploy workflows, which could break automation (e.g., PR creation, deploy) if permissions are too restrictive or mis-scoped.

Overview
Hardens GitHub Actions workflows by explicitly scoping permissions and disabling actions/checkout credential persistence (persist-credentials: false) in most jobs, while keeping write credentials only where git-auto-commit-action needs them.

Adds a new zizmor workflow that runs on pushes/PRs to report security findings to GitHub via security-events: write, and tweaks Dependabot to use a longer cooldown (default-days: 7) to reduce PR churn.

Reviewed by Cursor Bugbot for commit 3fa978f. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 1fba7f5. Configure here.

Comment thread .github/workflows/update-links.yml Outdated
Comment thread .github/workflows/build-directory-cache.yaml Outdated
@flakey5
review
2cfbe9e 
Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com>
MattIPv4
MattIPv4 reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MattIPv4 MattIPv4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a nit, but in some workflows we set permissions at the root, and in others we set it at the job. Can we do it consistently?

Comment thread .github/workflows/build-directory-cache.yaml Outdated
Comment thread .github/workflows/update-links.yml Outdated
flakey5 and others added 2 commits May 14, 2026 16:58
@flakey5 @MattIPv4
Apply suggestions from code review
9141662 
Co-authored-by: Matt Cowley <me@mattcowley.co.uk>
Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com>
@flakey5
review
3fa978f 
Signed-off-by: flakey5 <73616808+flakey5@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MattIPv4 MattIPv4 MattIPv4 left review comments

@cursor cursor[bot] cursor[bot] left review comments

@bmuenzenmeyer bmuenzenmeyer bmuenzenmeyer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@flakey5 @bmuenzenmeyer @MattIPv4