Skip to content

ci(workflows): harden workflows with zizmor, add CodeQL and mise tasks#339

Merged
looztra merged 3 commits into
mainfrom
chore/quality-checks
Jul 11, 2026
Merged

ci(workflows): harden workflows with zizmor, add CodeQL and mise tasks#339
looztra merged 3 commits into
mainfrom
chore/quality-checks

Conversation

@looztra

@looztra looztra commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Summary

Replicates the CI hardening done in yamkix (looztra/yamkix#448 and looztra/yamkix#449): zizmor static analysis, tightened token permissions, cache-poisoning protection on the release path, pinned actions, CodeQL code scanning, and mise tasks mirroring the make targets.

Changes

  • workflows_checks.yml: run zizmor (via zizmorcore/zizmor-action) alongside actionlint; explicit contents: read / checks: write permissions
  • code_checks.yml: top-level contents: read permission and persist-credentials: false on all checkouts; dedicated detect-release step reused by downstream conditions; mise and uv caches disabled on release runs so a poisoned cache cannot reach the (Test)PyPI distribution; pin pypa/gh-action-pypi-publish to v1.14.0 (was an unstable ref); fix deprecated codecov params (files / report_type); switch steps from make to mise run tasks
  • lint_pr_titles.yml: scope token to pull-requests: write, document why pull_request_target is safe here (zizmor ignore), pin sticky-comment action to v3.0.5
  • publish_docs.yml: keep persist-credentials: true explicitly with justification (mkdocs gh-deploy pushes to gh-pages)
  • zizmor.yml: new config ignoring cache-poisoning in code_checks.yml, with rationale
  • codeql.yml: new workflow scanning python and actions with build-mode: none, weekly schedule, minimal permissions and pinned SHAs
  • toolbox/mise/tasks/toml/: mise tasks (lint, test, dist, docs, venv, precommit, checks) mirroring the make targets; actionlint and zizmor added to .mise.toml tools
  • poe_tasks.toml: split ruff:fmt:run into ruff:isort + ruff:fmt
  • .pre-commit-config.yaml: add --silent to the yamkix hook

Verification

  • zizmor v1.26.1: no findings across all six workflows; actionlint clean
  • All 19 mise tasks register; venv:setup, lint:fast, style and two full precommit:run passes exercised locally (no diffs produced)
  • The workflows in this PR validate themselves via actionlint + zizmor on this very run

Note

If the GitHub repo has default CodeQL setup enabled, it must be switched off (Settings → Code security) before the advanced workflow can upload results.

🤖 Generated with Claude Code

looztra and others added 2 commits July 11, 2026 21:58
…ctions

Replicates yamkix#448: adds zizmor static analysis for workflows,
tightens token permissions, protects the release path from cache
poisoning, pins all third-party actions to full versions, and
introduces mise tasks mirroring the make targets.

- workflows_checks.yml: run zizmor alongside actionlint; explicit
  contents: read / checks: write permissions
- code_checks.yml: top-level contents: read, persist-credentials: false
  on all checkouts; dedicated detect-release step reused by downstream
  conditions; mise and uv caches disabled on release runs; pin
  pypa/gh-action-pypi-publish to v1.14.0 (was unstable ref); fix
  deprecated codecov params (files/report_type)
- lint_pr_titles.yml: scope token to pull-requests: write, document why
  pull_request_target is safe (zizmor ignore), pin sticky-comment to
  v3.0.5
- publish_docs.yml: keep persist-credentials: true explicitly with
  justification (mkdocs gh-deploy pushes to gh-pages)
- zizmor.yml: ignore cache-poisoning in code_checks.yml with rationale
- toolbox/mise/tasks/toml: mise tasks (lint, test, dist, docs, venv,
  precommit, checks) used by the workflows in place of make targets
- poe_tasks.toml: split ruff:fmt:run into ruff:isort + ruff:fmt

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Replicates yamkix#449: CodeQL code scanning via advanced setup,
covering python and actions with build-mode: none, weekly schedule,
minimal permissions and pinned action SHAs. Also silence the yamkix
pre-commit hook.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.14%. Comparing base (aaa1c27) to head (c7fd3bb).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #339   +/-   ##
=======================================
  Coverage   79.14%   79.14%           
=======================================
  Files          11       11           
  Lines         235      235           
  Branches       28       28           
=======================================
  Hits          186      186           
  Misses         45       45           
  Partials        4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@looztra looztra merged commit 8dbf1a4 into main Jul 11, 2026
11 checks passed
@looztra looztra deleted the chore/quality-checks branch July 11, 2026 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants