Skip to content

ci: pin PR title action to SHA and restrict permissions#13

Merged
ogrodnek merged 1 commit into
mainfrom
ci/pin-pr-title-action-sha
May 13, 2026
Merged

ci: pin PR title action to SHA and restrict permissions#13
ogrodnek merged 1 commit into
mainfrom
ci/pin-pr-title-action-sha

Conversation

@ogrodnek

Copy link
Copy Markdown
Contributor

Small hardening pass on our PR title workflow, based on a zizmor scan:

  • Pinned amannn/action-semantic-pull-request to its commit SHA. Tags are mutable, so this protects us if the tag ever gets re-pointed.
  • Added permissions: pull-requests: read so the job uses a minimal token instead of inheriting the default scopes.

Functionally identical — the action just validates that PR titles follow conventional commits. Same fix as homebound-team/beam#1242.

Note: zizmor also flags on: pull_request_target as risky in general. Per the maintainer and GitHub Security Lab, it's safe here since we don't check out PR code — the two changes above are the recommended defense-in-depth on top.

@ogrodnek ogrodnek marked this pull request as ready for review May 13, 2026 22:54
@ogrodnek ogrodnek requested review from bdow and stephenh May 13, 2026 22:55
@ogrodnek ogrodnek merged commit e71f382 into main May 13, 2026
2 checks passed
@ogrodnek ogrodnek deleted the ci/pin-pr-title-action-sha branch May 13, 2026 23:33
@homebound-team-bot

Copy link
Copy Markdown

🎉 This PR is included in version 2.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants