Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the repository’s security posture and CI reliability by tightening GitHub Actions permissions, adding runner hardening, introducing additional security workflows, and ensuring Python tooling runs consistently under uv.
Changes:
- Move elevated GitHub Actions permissions from workflow-level to job-level (least privilege) and add
step-security/harden-runnerto workflows with steps. - Add new security workflows: CodeQL scanning and dependency review for PRs.
- Fix
make lint/make testtool execution underuvby invoking tools viauv run python -m ..., and add a pre-commit configuration (including gitleaks).
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Updates PyJWT lock entry to 2.12.1. |
Makefile |
Runs pytest/flake8/pylint/mypy via uv run python -m ... for consistent tool resolution. |
.pre-commit-config.yaml |
Adds pre-commit hooks (gitleaks + whitespace fixes + local Python format/lint hooks via uv). |
.github/workflows/super-linter.yaml |
Adds harden-runner audit step before workflow actions. |
.github/workflows/stale.yml |
Moves issue/PR permissions to the job and adds harden-runner. |
.github/workflows/scorecard.yml |
Replaces read-all with scoped permissions and adds harden-runner. |
.github/workflows/python-ci.yml |
Adds harden-runner to test/lint workflow. |
.github/workflows/mark-ready-when-ready.yml |
Moves elevated permissions to the job and adds harden-runner. |
.github/workflows/docker-ci.yml |
Adds harden-runner to the Docker build workflow. |
.github/workflows/dependency-review.yml |
Adds a dependency-review workflow (with harden-runner). |
.github/workflows/copilot-setup-steps.yml |
Adds harden-runner to Copilot setup workflow. |
.github/workflows/contributors_report.yaml |
Adds harden-runner to the monthly report workflow. |
.github/workflows/codeql.yml |
Adds a CodeQL workflow (with harden-runner) for Python scanning. |
jmeridth
force-pushed
the
fix/tighten-workflow-permissions-add-security-hardening
branch
from
1c1909c to
d061d9d
Compare
… tool invocations ## What Move elevated permissions from workflow level to job level across three workflows (mark-ready-when-ready, scorecard, stale) so each job only holds the permissions it actually needs. Add step-security/harden-runner to all eight workflows that define steps. Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via `uv run python -m` since they lack console script entry points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597. ## Why Workflow-level write permissions apply to every job in the workflow, granting broader access than necessary. Moving them to job level follows the principle of least privilege. Harden-runner audits outbound network calls from GitHub-hosted runners, improving supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and vulnerable-dependency detection. The Makefile commands failed under uv because those packages don't install console scripts; `python -m` ensures the tools are always found. PyJWT <= 2.11.0 doesn't validate the RFC 7515 `crit` header parameter (CVSS 7.5). ## Notes - The `uv run` to `uv run python -m` change also affects CI since python-ci calls `make lint` and `make test` - release.yml, auto-labeler.yml, and pr-title.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead - The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed - PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
fix/tighten-workflow-permissions-add-security-hardening
branch
from
d061d9d to
9c78dcb
Compare
Collaborator
|
The Autobuild step in |
Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
approved these changes
Mar 14, 2026
Collaborator
zkoppert
left a comment
zkoppert
left a comment
There was a problem hiding this comment.
LGTM - minor note: consider removing the Autobuild step from codeql.yml since it's a no-op for Python.
jmeridth
deleted the
fix/tighten-workflow-permissions-add-security-hardening
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Move elevated permissions from workflow level to job level across three workflows (mark-ready-when-ready, scorecard, stale) so each job only holds the permissions it actually needs. Add step-security/harden-runner to all eight workflows that define steps. Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via
uv run python -msince they lack console script entry points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597.Why
Workflow-level write permissions apply to every job in the workflow, granting broader access than necessary. Moving them to job level follows the principle of least privilege. Harden-runner audits outbound network calls from GitHub-hosted runners, improving supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and vulnerable-dependency detection. The Makefile commands failed under uv because those packages don't install console scripts;
python -mensures the tools are always found. PyJWT <= 2.11.0 doesn't validate the RFC 7515critheader parameter (CVSS 7.5).Notes
uv runtouv run python -mchange also affects CI since python-ci callsmake lintandmake testpermissions: read-allwhich granted read access to all scopes; now explicitly scoped to only what's needed