Commit 986e9eb
fix: harden GitHub Actions workflows (zizmor) (#12)
- Upgrade actions/checkout to v6.0.2 and add persist-credentials: false
- Add workflow-level permissions: {} to release.yml and contents: read to test.yml
- Replace secrets: inherit with explicit secret passing (SOCKET_API_KEY)
- Disable caching in release workflow setup-bun to prevent cache poisoning
- Declare SOCKET_API_KEY as optional workflow_call secret in test.yml
- Disable secrets-outside-env rule via .github/zizmor.yml
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 1bac8d8 commit 986e9eb
3 files changed
+21
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
| 9 | + | |
8 | 10 | | |
9 | 11 | | |
10 | 12 | | |
11 | | - | |
| 13 | + | |
| 14 | + | |
12 | 15 | | |
13 | 16 | | |
14 | 17 | | |
| |||
21 | 24 | | |
22 | 25 | | |
23 | 26 | | |
24 | | - | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
25 | 30 | | |
26 | 31 | | |
27 | 32 | | |
| 33 | + | |
| 34 | + | |
28 | 35 | | |
29 | 36 | | |
30 | 37 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
10 | 16 | | |
11 | 17 | | |
12 | 18 | | |
| |||
17 | 23 | | |
18 | 24 | | |
19 | 25 | | |
20 | | - | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
21 | 29 | | |
22 | 30 | | |
23 | 31 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
0 commit comments