Conversation
jmeridth
force-pushed
the
fix/tighten-workflow-permissions-and-security-hardening
branch
from
ba93395 to
293d51c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR strengthens the repo’s supply-chain/security posture and dev tooling by adding pre-commit hooks, tightening GitHub Actions permissions, hardening runners, and updating a dependency lock entry.
Changes:
- Add a
.pre-commit-config.yamlwith gitleaks + Python formatting/lint/type-check hooks. - Harden multiple GitHub Actions workflows (runner hardening + more granular permissions) and add new Dependency Review + CodeQL workflows.
- Bump
pyjwtinuv.lockand adjust Makefile commands to run tools viapython -m ....
Reviewed changes
Copilot reviewed 12 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Updates locked pyjwt version and artifact hashes/URLs. |
Makefile |
Runs pytest/flake8/pylint/mypy via python -m under uv run. |
.pre-commit-config.yaml |
Introduces pre-commit hooks for secrets scanning and Python tooling. |
.github/workflows/stale.yaml |
Adds runner hardening and scopes permissions at job level. |
.github/workflows/scorecard.yml |
Adds runner hardening and narrows default permissions. |
.github/workflows/python-package.yml |
Adds runner hardening to CI test workflow. |
.github/workflows/mark-ready-when-ready.yml |
Moves elevated permissions to job level and adds runner hardening. |
.github/workflows/linter.yaml |
Adds runner hardening to the linter workflow. |
.github/workflows/docker-image.yml |
Adds runner hardening to Docker build workflow. |
.github/workflows/dependency-review.yml |
Adds dependency review workflow for PR dependency changes. |
.github/workflows/copilot-setup-steps.yml |
Adds runner hardening to Copilot setup steps. |
.github/workflows/contributor_report.yaml |
Adds runner hardening and adjusts permissions structure. |
.github/workflows/codeql.yml |
Adds CodeQL scanning workflow with pinned actions and runner hardening. |
jmeridth
force-pushed
the
fix/tighten-workflow-permissions-and-security-hardening
branch
from
293d51c to
bec6a6d
Compare
… tool invocations ## What Move elevated permissions from workflow level to job level across four workflows (mark-ready-when-ready, scorecard, stale, contributor_report) so each job only holds the permissions it actually needs. Add step-security/harden-runner to all eight workflows that define steps. Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via `uv run python -m` since they lack console script entry points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597. ## Why Workflow-level write permissions apply to every job in the workflow, granting broader access than necessary. Moving them to job level follows the principle of least privilege. Harden-runner audits outbound network calls from GitHub-hosted runners, improving supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and vulnerable-dependency detection. The Makefile commands failed under uv because those packages don't install console scripts; `python -m` ensures the tools are always found. PyJWT <= 2.11.0 doesn't validate the RFC 7515 `crit` header parameter (CVSS 7.5). ## Notes - The `uv run` to `uv run python -m` change also affects CI since python-package calls `make lint` and `make test` - release.yml, auto-labeler.yml, and pr-title.yml use reusable workflows at the job level so harden-runner cannot be added there; it must go in the reusable workflow definitions instead - pylint was also changed to `python -m` beyond what the upstream stale-repos PR did, since it failed the same way as flake8/mypy/pytest - PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior - The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed Signed-off-by: Jason Meridth <jmeridth@gmail.com>
jmeridth
force-pushed
the
fix/tighten-workflow-permissions-and-security-hardening
branch
from
bec6a6d to
f01eb88
Compare
Collaborator
|
The Autobuild step in |
Signed-off-by: jmeridth <jmeridth@gmail.com>
zkoppert
approved these changes
Mar 14, 2026
Collaborator
zkoppert
left a comment
zkoppert
left a comment
There was a problem hiding this comment.
LGTM - minor note: consider removing the Autobuild step from codeql.yml since it's a no-op for Python.
jmeridth
deleted the
fix/tighten-workflow-permissions-and-security-hardening
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Move elevated permissions from workflow level to job level across four workflows (mark-ready-when-ready, scorecard, stale, contributor_report) so each job only holds the permissions it actually needs. Add step-security/harden-runner to all eight workflows that define steps. Add CodeQL SAST scanning and dependency-review workflows. Add pre-commit configuration with gitleaks, formatting hooks, and local linter hooks. Fix Makefile to invoke flake8, pytest, pylint, and mypy via
uv run python -msince they lack console script entry points in the uv venv. Upgrade PyJWT from 2.11.0 to 2.12.1 to address CVE-2026-32597.Why
Workflow-level write permissions apply to every job in the workflow, granting broader access than necessary. Moving them to job level follows the principle of least privilege. Harden-runner audits outbound network calls from GitHub-hosted runners, improving supply-chain visibility. CodeQL and dependency-review close gaps in static analysis and vulnerable-dependency detection. The Makefile commands failed under uv because those packages don't install console scripts;
python -mensures the tools are always found. PyJWT <= 2.11.0 doesn't validate the RFC 7515critheader parameter (CVSS 7.5).Notes
uv runtouv run python -mchange also affects CI since python-package callsmake lintandmake testpython -mbeyond what the upstream stale-repos PR did, since it failed the same way as flake8/mypy/pytestpermissions: read-allwhich granted read access to all scopes; now explicitly scoped to only what's needed