P-2208: Harden github actions#28
Conversation
- Delete with-next-app-router/.github/workflows/lint.yaml (stale; nested path GHA never executes; pinned actions/checkout@master) - build.yml: add workflow-level permissions: contents: read - build.yml: persist-credentials: false on all 3 checkouts - build.yml: quote $AUDIT_LEVEL in pnpm audit (SC2086) Refs P-2208. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
keiloktql
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request deletes the lint.yaml workflow file. The reviewer noted that the PR is incomplete because it lacks the hardening improvements and dependency updates mentioned in the PR summary, such as workflow-level permissions and the update to pnpm/action-setup@v11.
| @@ -1,37 +0,0 @@ | |||
| name: Lint | |||
There was a problem hiding this comment.
The hardening improvements to build.yml (workflow-level permissions, persist-credentials: false, and the SC2086 fix) and the update to pnpm/action-setup@v11 described in the pull request summary are missing from the current diff. The pull request is incomplete relative to its stated objectives.
|
@gemini-code-assist this review is mistaken — the build.yml hardening changes are present in the diff. See .github/workflows/build.yml in the PR:
Re "update to pnpm/action-setup@v11" — that wasn't part of the P-2208 scope and isn't mentioned in the PR description. The action |
|
Thank you for the clarification, @keiloktql. I apologize for the oversight in my previous assessment. You are correct that the hardening changes for |
2 participants
Hardens GHA workflows per Linear P-2208.
Refs P-2208.
🤖 Generated with Claude Code
Need help on this PR? Tag
@codesmithwith what you need. Autofix is disabled.