Skip to content

chore: security audit remediations#65

Open
djdanielsson wants to merge 3 commits into
develfrom
chore/security-audit-remediations
Open

chore: security audit remediations#65
djdanielsson wants to merge 3 commits into
develfrom
chore/security-audit-remediations

Conversation

@djdanielsson

Copy link
Copy Markdown
Contributor

Summary

  • Resolved multiple CodeQL findings: workflow permissions, pinned actions, and safer checkout behavior for untrusted PRs.
  • Hardened pull_request_target workflow with an approval environment (conditional vs push).
  • Added Dependabot for GitHub Actions.
  • Expanded .gitignore for common secret material.

Details

Repo: redhat-cop/eda_configuration | Base branch: devel

  • 15 CodeQL alerts resolved: permissions added to all workflows, actions pinned to SHAs, untrusted checkout gated
  • pull_request_target (ci_standalone.yml): Added environment: name: pr-approval with conditional for pull_request_target vs push
  • Dependabot: Created .github/dependabot.yml for github-actions (weekly)
  • .gitignore: Added .env, *.pem, *.key

Made with Cursor

@djdanielsson
djdanielsson temporarily deployed to requires-approval March 26, 2026 20:02 — with GitHub Actions Inactive
djdanielsson and others added 3 commits June 16, 2026 13:39
- Add explicit GITHUB_TOKEN permissions on all workflows (CodeQL actions/missing-workflow-permissions)

- Pin actions-cool/issues-helper, actions/checkout, actions/setup-python, and ansible_collections_tooling to commit SHAs (CodeQL actions/unpinned-tag)

- Gate pull_request_target CI with environment pr-approval; use unprotected ci env for push (mitigates CodeQL untrusted-checkout on PR forks)

- Add Dependabot for github-actions weekly updates

- Ignore .env, *.pem, and *.key in .gitignore
…ylint issues

Remove unsupported parseable key from .ansible-lint and fix eda_module.py
pylint violations (PY2 import and delete_if_needed variable assignment).

Co-authored-by: Cursor <cursoragent@cursor.com>
@djdanielsson
djdanielsson force-pushed the chore/security-audit-remediations branch from 7669bd8 to 2ec52cd Compare June 16, 2026 13:40
@djdanielsson
djdanielsson deployed to requires-approval June 16, 2026 13:40 — with GitHub Actions Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant