Skip to content

Harden GitHub Actions workflows against token disclosure#1

Merged
SRWieZ merged 1 commit into
mainfrom
harden-workflows
May 19, 2026
Merged

Harden GitHub Actions workflows against token disclosure#1
SRWieZ merged 1 commit into
mainfrom
harden-workflows

Conversation

@SRWieZ

@SRWieZ SRWieZ commented May 19, 2026

Copy link
Copy Markdown
Owner

Hardens CI in response to Composer CVE-2026-45793. Same pattern as knotsphp/publicip#6.

  • Pin github/issue-labeler@v3.4 to commit SHA
  • Move permissions: to deny-all at top, least-privilege per job
  • Add .github/dependabot.yml (monthly, grouped, labelled)
  • Add .github/CODEOWNERS

@SRWieZ
Harden GitHub Actions workflows against token disclosure
d9cce3b 
- Pin github/issue-labeler@v3.4 to commit SHA
- Move permissions to deny-all at top, least-privilege per job
  (issues: write + contents: read on the label job only)
- Add .github/dependabot.yml (monthly, grouped, labelled)
- Add .github/CODEOWNERS so future .github/ changes need review

Same pattern as knotsphp/publicip#6.
@SRWieZ SRWieZ merged commit f5a2de5 into main May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SRWieZ