[Hermes] Harden CI workflow security, add project.urls, add ruff dep, add .gitattributes#23
Merged
Coding-Dev-Tools merged 1 commit intoMay 19, 2026
Conversation
… .gitattributes - Add persist-credentials:false to all 5 checkout steps across 4 workflows - Add permissions: contents:read to ci.yml (principle of least privilege) - Use pip install -e .[dev] for lint step instead of separate pip install ruff - Add ruff>=0.4.0 to dev dependencies in pyproject.toml - Convert inline urls to [project.urls] table with Documentation, Issues, Changelog - Add .gitattributes for consistent line endings across platforms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Harden CI workflow security across all 4 workflows, add complete project metadata URLs, add ruff as a dev dependency, and add .gitattributes for consistent line endings.
Why this change
actions/checkoutpersists the GitHub token in.git/configafter checkout by default. Any later step that runs arbitrary code can exfiltrate this token. Addingpersist-credentials: falseto all read-only checkout steps prevents this.permissionsblock, inheriting the repo's default token permissions. Addingpermissions: contents: readfollows the principle of least privilege.urls = {...}was missing Documentation, Issues, and Changelog links. Converted to standard[project.urls]table with all 5 standard URLs.pip install ruff) instead of being declared as a dev dependency. Nowruff>=0.4.0is in[project.optional-dependencies.dev]and the lint step usespip install -e ".[dev]"..gitattributesexisted, risking CRLF/LF corruption from cross-platform edits.What changed
.github/workflows/ci.yml: Addedpermissions: contents: read,persist-credentials: falseto 2 checkout steps, replacedpip install ruffwithpip install -e ".[dev]".github/workflows/publish.yml: Addedpersist-credentials: falseto checkout step.github/workflows/pages.yml: Addedpersist-credentials: falseto checkout step.github/workflows/npm-publish.yml: Addedpersist-credentials: falseto checkout steppyproject.toml: Converted inlineurlsto[project.urls]table with Homepage, Documentation, Repository, Issues, Changelog; addedruff>=0.4.0to dev deps.gitattributes: New file with* text=auto eol=lfand Windows script CRLF overridesValidation performed
ruff check src/ tests/— All checks passedpython -m pytest tests/ -q— 84 passedpyproject.tomlvalidated withtomllib.load()— valid TOML, correct structureRisks/rollback
persist-credentials: falseonly affects token persistence; none of these workflows dogit pushNODE_AUTH_TOKEN, not git credentials, so hardening is safeFollow-ups
pip install -e ".[dev]"instead ofpip install ruff