Skip to content

Tighten up github actions security#6

Merged
skjolber merged 8 commits intomainfrom
tighterGithubActions
Mar 4, 2026
Merged

Tighten up github actions security#6
skjolber merged 8 commits intomainfrom
tighterGithubActions

Conversation

@skjolber
Copy link
Copy Markdown
Collaborator

@skjolber skjolber commented Mar 2, 2026

No description provided.

@skjolber skjolber requested a review from Copilot March 2, 2026 17:59
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Tightens GitHub Actions security posture by reducing inherited secrets and explicitly scoping permissions/secrets for reusable workflow calls.

Changes:

  • Replace secrets: inherit with an explicit SLACK_BOT_TOKEN secret mapping in the deploy notification jobs.
  • Add explicit permissions blocks to reusable workflow jobs (CodeQL scan, PR verification).
  • Add a PR-author association gate to the CodeQL reusable workflow job.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/deploy-main.yml Stops inheriting all secrets for Slack notification reusable workflow; passes only Slack token.
.github/workflows/codeql.yml Adds job permissions and a PR author-association gate for the CodeQL reusable workflow.
.github/workflows/branch-verify.yml Adds minimal contents: read permissions for the PR verification reusable workflow job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql.yml Outdated
Comment thread .github/workflows/codeql.yml Outdated
@skjolber skjolber requested a review from Copilot March 2, 2026 19:41
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/branch-verify.yml Outdated
Comment thread .github/workflows/deploy-main.yml
skjolber and others added 5 commits March 2, 2026 21:21
@skjolber
Update .github/workflows/codeql.yml
784ce3b 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@skjolber
Tighten up github actions security
cb4adc3
@skjolber
Update .github/workflows/branch-verify.yml
340d2f6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@skjolber
Tighten up github actions security
7d8805c
@skjolber
Merge branch 'tighterGithubActions' of github.com:entur/tlv-pull-pars…
e0905b1 
…er into tighterGithubActions
@skjolber skjolber requested a review from Copilot March 2, 2026 20:28
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/codeql.yml Outdated
@skjolber skjolber merged commit 01dfd36 into main Mar 4, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skjolber