Conversation
Pin several GitHub Actions and third-party workflow refs to specific SHAs/digests for reproducible runs; add permissions (contents/id-token/pages) where required for coverage uploads, OIDC and docs publishing; set persist-credentials: false on checkouts and adjust run images/digests. Also add a 7-day Dependabot cooldown and minor CI tweaks (ubuntu-slim for docs comment, curl env fix for release input). These changes improve security, stability and reduce noisy Dependabot updates.
Tighten and standardize GitHub Actions across workflows: - ansible-test-windows.yml: deny workflow-level permissions (scope per job), add job env (NAMESPACE, COLLECTION_NAME, GHWS, CODECOV_TOKEN), and switch pip invocations to python3 (remove matrix.python usage). Keep id-token and other required permissions per job. - ansible-test.yml: restrict default permissions (contents: read), expose CODECOV_TOKEN as job env for Sanity and Integration jobs, and remove duplicated env on codecov steps. - docs-pr.yml: change trigger from pull_request_target to pull_request to avoid elevated token scope for PRs. - release.yml: add concurrency and restrict default permissions (contents: read), expose VERSION, GALAXY_API_KEY, and GITHUB_TOKEN to the release job, and fix the Galaxy validation curl to use the VERSION env var. Overall these changes improve security (reduce default permissions), ensure required secrets/envs are available to jobs, and fix platform-specific command usage and release validation.
Add zizmor ignore annotations and comments to GitHub Actions workflows, tighten workflow-level permissions (set to {} to scope per-job), and propagate environment variables into relevant steps. Replace inline matrix/github workspace usages with step env vars (e.g. ANSIBLE, GHWS, NAMESPACE, COLLECTION_NAME, GROUP) for pip installs, ansible-test invocations, and coverage/reporting steps; adjust WSL path conversion to use WORKSPACE env. Add explanatory comments for CODECOV_TOKEN and secrets usage. In release workflow, switch to using env.VERSION/GHP_BASE_URL/GALAXY_API_KEY/GITHUB_TOKEN, fix curl quoting, update Python release description to reference env variables, and annotate the release action usage. These changes improve lint suppression, environment scoping, and consistency across jobs.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Bump pinned action commit SHAs across CI workflows to use newer/stable revisions and add a note for docs action: - .github/workflows/ansible-test-windows.yml: Vampire/setup-wsl pinned to v6.1.0 - .github/workflows/ansible-test.yml: ansible-community/ansible-test-gh-action updated to a newer SHA for both sanity and integration jobs - .github/workflows/docs-pr.yml: ansible-docs-build-comment usage kept on the same SHA but annotated to ignore stale-action-refs - .github/workflows/release.yml: actions/setup-python pinned to v6.2.0 and artis3n/ansible_galaxy_collection SHA updated These changes refresh action references to pick up fixes/updates and clarify the docs action pin.
Add inline zizmor ignore comments to .github/workflows/ansible-test.yml to suppress lint warnings: mark CODECOV_TOKEN env usages with secrets-outside-env (Codecov token required for uploading coverage, used only with workflow_dispatch) and mark the mcr.microsoft.com/mssql/server image with unpinned-images (trusted publisher for this CI use case). These comments silence false positives from security/lint tooling while preserving intended CI behavior.
Update GitHub Actions concurrency group expressions to use github.event.pull_request.number || github.ref (or for docs-pr, replace head_ref) so workflows create stable, per-PR concurrency groups. This prevents runs for different pull requests (or branches with the same name) from canceling each other. Applied to ansible-test-windows.yml, ansible-test.yml, docs-pr.yml, and zizmor.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Times, they are a changin'. And this repo needs to be prepared.
How Has This Been Tested?
Types of changes
Checklist:
version_addedproperty.