Skip to content

Harden GHA#90

Merged
virajmehta merged 5 commits intomainfrom
gb/harden-ci
Apr 29, 2026
Merged

Harden GHA#90
virajmehta merged 5 commits intomainfrom
gb/harden-ci

Conversation

@GabrielBianconi
Copy link
Copy Markdown
Member

@GabrielBianconi GabrielBianconi commented Apr 28, 2026
edited by cursor Bot
Loading

Note

Medium Risk
Workflow changes adjust permissions, concurrency, and action versions, which can impact CI/benchmark execution and merge-queue behavior if misconfigured.

Overview
Hardens GitHub Actions execution. Existing CI and Benchmark workflows now use workflow-level concurrency, least-privilege permissions, and SHA-pinned actions (with persist-credentials: false on checkout).

Adds security enforcement. Introduces a new security workflow that runs pinact (fails on unpinned uses:) and zizmor (uploads SARIF to code scanning), plus a final gate job that treats skips as failures in merge queue.

Adds .github/zizmor.yml to tune zizmor rules/ignores to avoid duplicate findings with pinact and document intentional exceptions (e.g., dtolnay/rust-toolchain and unpinned Postgres image).

Reviewed by Cursor Bugbot for commit 36b59fc. Bugbot is set up for automated code reviews on this repo. Configure here.

@tensorzero-cla-bot
Copy link
Copy Markdown

tensorzero-cla-bot Bot commented Apr 28, 2026
edited
Loading

✅ All contributors to this pull request have signed the TensorZero CLA. Thank you!

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad3033f620

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml Outdated
cursor[bot]
cursor Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
@GabrielBianconi
Copy link
Copy Markdown
Member Author

GabrielBianconi commented Apr 28, 2026

I have read the Contributor License Agreement (CLA) and hereby sign the CLA.

tensorzero-cla-bot Bot added a commit that referenced this pull request Apr 28, 2026
@tensorzero-cla-bot
Sign CLA: @GabrielBianconi (#90)
7212c62
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 28, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 80d1a9cd92

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml Outdated
cursor[bot]
cursor Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 80d1a9c. Configure here.

Comment thread .github/workflows/security.yml
@virajmehta virajmehta added this pull request to the merge queue Apr 29, 2026
Merged via the queue into main with commit dd5b38d Apr 29, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@virajmehta virajmehta virajmehta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GabrielBianconi @github-advanced-security @virajmehta