Security hardening: credentials.json gitignore, CI least-privilege, SHA-pin ShellCheck#4
Merged
Merged
Conversation
- Replace all explicit missing-file grep args with --include= style to prevent exit code 2 false negatives across Checks 14, 18, 19, 20 - Add /safetycheck row to cheat-sheet.md skills table - Add Step 9 row to step-ordering.md (was missing entirely) Co-Authored-By: claude-flow <ruv@ruv.net>
…in action - Add credentials.json to .gitignore (gap identified in security audit) - Add permissions:contents:read to lint.yml (least-privilege CI) - SHA-pin ludeeus/action-shellcheck to full commit hash (supply chain hardening) Co-Authored-By: claude-flow <ruv@ruv.net>
… idempotent links - Pin SKILL_URL to commit SHA 7b449b6 (prevents rug-pull via mutable main branch) - Add sha256 checksum verification after SKILL.md download - Add .github/workflows/security.yml: strict ShellCheck, secret scanning, URL reachability - Fix step-7d link injection to be idempotent (check for [[project]] before appending) Co-Authored-By: claude-flow <ruv@ruv.net>
- step-final: convert for-loop-over-find to while-read (SC2044) - step-final: remove unused HC_ISSUES variable (SC2034) - update.sh: remove unused RED color variable (SC2034) - uninstall.sh: replace tilde with $HOME in message strings (SC2088) - step-1: replace tilde with $HOME in message string (SC2088) Co-Authored-By: claude-flow <ruv@ruv.net>
fidgetcoding
added a commit
that referenced
this pull request
Apr 18, 2026
Security hardening: credentials.json gitignore, CI least-privilege, SHA-pin ShellCheck
fidgetcoding
added a commit
that referenced
this pull request
Apr 21, 2026
Security hardening: credentials.json gitignore, CI least-privilege, SHA-pin ShellCheck
fidgetcoding
added a commit
that referenced
this pull request
Apr 25, 2026
Security hardening: credentials.json gitignore, CI least-privilege, SHA-pin ShellCheck
fidgetcoding
added a commit
that referenced
this pull request
Apr 25, 2026
Security hardening: credentials.json gitignore, CI least-privilege, SHA-pin ShellCheck
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
credentials.jsonto.gitignore(Google/Firebase credentials file gap)permissions: contents: readtolint.yml— prevents CI from having implicit write-all permissionsludeeus/action-shellcheckto full commit hash94e0aab03ca135d11a35e5bfc14e6746dc56e7e9(v2.0.0) — prevents tag-based supply chain attack on third-party actionTest plan
.shfiles.gitignorecorrectly excludescredentials.jsonfrom tracking🤖 Generated with claude-flow