fix: remove npm-publish.yml, harden CI workflow security

DevForge Engineer · DevForge Engineer · commit 66d18fdb7a99 · 2026-05-18T06:26:30.000-04:00
- Remove npm-publish.yml (wrong-language CI workflow for Python repo)
- Add persist-credentials: false to all checkout steps
- Add top-level permissions: contents: read to ci.yml, test.yml, publish.yml
- Update actions/checkout v4-&gt;v6 and setup-python v5-&gt;v6 in ci.yml
- Update actions/checkout v4-&gt;v6 in pages.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -15,10 +18,12 @@ jobs:
         python-version: ["3.11", "3.12"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -41,10 +46,12 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.12"
 
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -18,7 +18,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Pages
         uses: actions/configure-pages@v5
       - name: Build with Jekyll
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
     types: [ published ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -14,6 +17,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v6
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,11 +1,14 @@
-name: CI
+name: Test
 
 on:
   push:
     branches: [master]
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -15,6 +18,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
@@ -27,7 +32,8 @@ jobs:
           pip install -e ".[dev]"
 
       - name: Lint with ruff
-        run: pip install ruff && ruff check src/ --target-version py310
+        run: ruff check src/ --target-version py310
+
       - name: Run tests
         run: |
           python -m pytest tests/ -v --tb=short
@@ -36,4 +42,3 @@ jobs:
         run: |
           deadcode --version
           deadcode --help
-
