Skip to content

ci: fix workflows security#40

Merged
thomasboni merged 1 commit into
mainfrom
fix-workflow-security
May 21, 2026
Merged

ci: fix workflows security#40
thomasboni merged 1 commit into
mainfrom
fix-workflow-security

Conversation

@thomasboni
Copy link
Copy Markdown
Contributor

@thomasboni thomasboni commented May 21, 2026

No description provided.

@cursor
Copy link
Copy Markdown

cursor Bot commented May 21, 2026
edited
Loading

PR Summary

Low Risk
Low risk: changes are limited to CI/release workflow definitions and an added security policy file, though mis-pins or version constraints could cause CI/release runs to fail.

Overview
Tightens CI/release workflow supply-chain security by pinning third-party uses: steps (e.g., azure/setup-helm, helm/chart-testing-action, helm/chart-releaser-action) to immutable commit SHAs.

Mitigates workflow script-injection by routing the default branch name through env (DEFAULT_BRANCH) before using it in shell commands, and pins helm-unittest (unittest-version: v1.0.3) to remain compatible with Helm 3.10.1.

Adds a new .plumber.yaml enabling GitHub Actions security controls (pin-by-SHA, no dangerous triggers, no debug trace, required actions, etc.) for automated policy analysis.

Reviewed by Cursor Bugbot for commit 355fbc8. Bugbot is set up for automated code reviews on this repo. Configure here.

@thomasboni thomasboni force-pushed the fix-workflow-security branch 2 times, most recently from d476db7 to 1d981f7 Compare May 21, 2026 08:25
@thomasboni thomasboni force-pushed the fix-workflow-security branch from 1d981f7 to 355fbc8 Compare May 21, 2026 09:09
@thomasboni thomasboni merged commit dc644a4 into main May 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomasboni