From 66d18fdb7a995f98d967d3a0777c3dd12a595b4e Mon Sep 17 00:00:00 2001 From: DevForge Engineer Date: Mon, 18 May 2026 06:26:30 -0400 Subject: [PATCH] fix: remove npm-publish.yml, harden CI workflow security - Remove npm-publish.yml (wrong-language CI workflow for Python repo) - Add persist-credentials: false to all checkout steps - Add top-level permissions: contents: read to ci.yml, test.yml, publish.yml - Update actions/checkout v4->v6 and setup-python v5->v6 in ci.yml - Update actions/checkout v4->v6 in pages.yml --- .github/workflows/ci.yml | 15 +++++++++++---- .github/workflows/npm-publish.yml | 28 ---------------------------- .github/workflows/pages.yml | 4 +++- .github/workflows/publish.yml | 5 +++++ .github/workflows/test.yml | 11 ++++++++--- 5 files changed, 27 insertions(+), 36 deletions(-) delete mode 100644 .github/workflows/npm-publish.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9a029e3..0e9f83f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,9 @@ on: pull_request: branches: [master] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -15,10 +18,12 @@ jobs: python-version: ["3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} @@ -41,10 +46,12 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: "3.12" diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml deleted file mode 100644 index ffc3b66..0000000 --- a/.github/workflows/npm-publish.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Publish to npm - -on: - release: - types: [published] - workflow_dispatch: - -jobs: - publish: - runs-on: ubuntu-latest - permissions: - contents: read - - steps: - - uses: actions/checkout@v6 - - - name: Set up Node.js - uses: actions/setup-node@v6 - with: - node-version: "22" - registry-url: "https://registry.npmjs.org" - - - name: Publish to npm - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - npm publish --access public - diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index d2d8ccb..4259af1 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -18,7 +18,9 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Pages uses: actions/configure-pages@v5 - name: Build with Jekyll diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 07ba012..0cf35a3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,9 @@ on: types: [ published ] workflow_dispatch: +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest @@ -14,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v6 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cb1dfde..c0451f9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,4 @@ -name: CI +name: Test on: push: @@ -6,6 +6,9 @@ on: pull_request: branches: [master] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -15,6 +18,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 @@ -27,7 +32,8 @@ jobs: pip install -e ".[dev]" - name: Lint with ruff - run: pip install ruff && ruff check src/ --target-version py310 + run: ruff check src/ --target-version py310 + - name: Run tests run: | python -m pytest tests/ -v --tb=short @@ -36,4 +42,3 @@ jobs: run: | deadcode --version deadcode --help -