You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore: harden CI with Semgrep, CodeQL, pip-audit, SHA-pinned actions, and contributor tooling
- SHA-pin all GitHub Actions across all workflows (ci, scorecard, benchmark)
- Add Semgrep SAST workflow (p/python + p/owasp-top-ten, SARIF upload)
- Add CodeQL workflow (python + actions, security-extended queries)
- Add pip-audit security job to CI; build gates on it
- Add concurrency groups with cancel-in-progress to all workflows
- Fix scorecard.yml overly broad read-all permissions
- Use env var for matrix.python-version (hardened shell interpolation)
- Add Dependabot config with reviewers for pip and github-actions
- Add PR template with security review checklist
- Add FUNDING.yml, Ruff badge, pre-commit large-file and merge-conflict hooks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
0 commit comments