dchud
mrrc
Blog
Docs
Changelog
Blog
Docs
Changelog
Overview
Branches
Benchmarks
Runs
Performance History
Latest Results
ci: harden workflows and add zizmor security scan (#412) Pin all third-party actions to commit SHAs, add persist-credentials: false to every checkout, scope docs.yml Pages permissions to the deploy job, and disable the release-test uv cache (cache-poisoning fix). Add a zizmor job to the lint workflow (offline, no path filter so it stays a reliable required check) plus .github/zizmor.yml, which allows ref pins for dtolnay/rust-toolchain and taiki-e/install-action (whose ref selects the toolchain/tool) and requires SHA pins everywhere else. Record the publish gate and this hardening under CHANGELOG [Unreleased] Security. Resolves bd-7nhc; closes bd-uqiq (sha_pinning_required) as superseded by the zizmor CI check.
main
7 days ago
ci: harden workflows and add zizmor security scan (#412) Pin all third-party actions to commit SHAs, add persist-credentials: false to every checkout, scope docs.yml Pages permissions to the deploy job, and disable the release-test uv cache (cache-poisoning fix). Add a zizmor job to the lint workflow (offline, no path filter so it stays a reliable required check) plus .github/zizmor.yml, which allows ref pins for dtolnay/rust-toolchain and taiki-e/install-action (whose ref selects the toolchain/tool) and requires SHA pins everywhere else. Record the publish gate and this hardening under CHANGELOG [Unreleased] Security. Resolves bd-7nhc; closes bd-uqiq (sha_pinning_required) as superseded by the zizmor CI check.
main
7 days ago
ci: harden workflows and add zizmor security scan Pin all third-party actions to commit SHAs, add persist-credentials: false to every checkout, scope docs.yml Pages permissions to the deploy job, and disable the release-test uv cache (cache-poisoning fix). Add a zizmor job to the lint workflow (offline, no path filter so it stays a reliable required check) plus .github/zizmor.yml, which allows ref pins for dtolnay/rust-toolchain and taiki-e/install-action (whose ref selects the toolchain/tool) and requires SHA pins everywhere else. Record the publish gate and this hardening under CHANGELOG [Unreleased] Security. Resolves bd-7nhc; closes bd-uqiq (sha_pinning_required) as superseded by the zizmor CI check.
ci/workflow-hardening
7 days ago
ci: harden workflows and add zizmor security scan Pin all third-party actions to commit SHAs, add persist-credentials: false to every checkout, scope docs.yml Pages permissions to the deploy job, and disable the release-test uv cache (cache-poisoning fix). Add a zizmor job to the lint workflow (offline, no path filter so it stays a reliable required check) plus .github/zizmor.yml, which allows ref pins for dtolnay/rust-toolchain and taiki-e/install-action (whose ref selects the toolchain/tool) and requires SHA pins everywhere else. Record the publish gate and this hardening under CHANGELOG [Unreleased] Security. Resolves bd-7nhc; closes bd-uqiq (sha_pinning_required) as superseded by the zizmor CI check.
ci/workflow-hardening
7 days ago
Gate PyPI publish behind a required-reviewer environment (#411) * chore(beads): add PyPI/CI workflow-hardening backlog items Adds bd-ky8t (PyPI publish approval gate), bd-7nhc (zizmor + workflow hardening), and bd-uqiq (repo-level SHA-pin enforcement); marks bd-ky8t in progress. * ci(release): gate PyPI publish behind the publish-to-pypi environment Add a job-level `environment: publish-to-pypi` to the publish-pypi job so a maintainer must approve the deployment before any upload runs. The gate sits at job level, so it covers both real tag-push publishes and TestPyPI rehearsals. The gate is inert until the environment is created with a required reviewer in repo settings; without it GitHub auto-creates an unprotected environment on first use. Setup steps are in the PR. * chore(beads): close bd-ky8t (PyPI publish approval gate)
main
7 days ago
Gate PyPI publish behind a required-reviewer environment (#411) * chore(beads): add PyPI/CI workflow-hardening backlog items Adds bd-ky8t (PyPI publish approval gate), bd-7nhc (zizmor + workflow hardening), and bd-uqiq (repo-level SHA-pin enforcement); marks bd-ky8t in progress. * ci(release): gate PyPI publish behind the publish-to-pypi environment Add a job-level `environment: publish-to-pypi` to the publish-pypi job so a maintainer must approve the deployment before any upload runs. The gate sits at job level, so it covers both real tag-push publishes and TestPyPI rehearsals. The gate is inert until the environment is created with a required reviewer in repo settings; without it GitHub auto-creates an unprotected environment on first use. Setup steps are in the PR. * chore(beads): close bd-ky8t (PyPI publish approval gate)
main
7 days ago
chore(beads): close bd-ky8t (PyPI publish approval gate)
ci/pypi-publish-approval-gate
7 days ago
chore(beads): close bd-ky8t (PyPI publish approval gate)
ci/pypi-publish-approval-gate
7 days ago
Latest Branches
CodSpeed Performance Gauge
0%
Harden CI/release workflows and add a zizmor security check
#412
7 days ago
5e6dbbe
ci/workflow-hardening
CodSpeed Performance Gauge
0%
Gate PyPI publish behind a required-reviewer environment
#411
7 days ago
b11f355
ci/pypi-publish-approval-gate
CodSpeed Performance Gauge
0%
fix(deps): bump crossbeam-epoch to 0.9.20 for RUSTSEC-2026-0204
#402
12 days ago
1e844bf
chore/crossbeam-epoch-security-advisory
© 2026 CodSpeed Technology
Home
Terms
Privacy
Docs