Skip to content

CI: update#5955

Merged
solardiz merged 10 commits intoopenwall:bleeding-jumbofrom
ldv-alt:bleeding-jumbo
Feb 22, 2026
Merged

CI: update#5955
solardiz merged 10 commits intoopenwall:bleeding-jumbofrom
ldv-alt:bleeding-jumbo

Conversation

@ldv-alt
Copy link
Contributor

@ldv-alt ldv-alt commented Feb 17, 2026

Miscellaneous CI updates.

ldv-alt added 10 commits February 17, 2026 08:00
@ldv-alt
CI: remove clang10 job
8271c9f 
Since the default clang version in ubuntu-latest image is not clang10,
and none of availabe ubuntu images provide clang10, remove the clang10 job.

Fixes: fb9b49c ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest")
@ldv-alt
CI: Switch ubuntu-24.04 jobs to ubuntu-latest for consistency
ce3ee01 
Given that ubuntu-latest points to ubuntu-24.04 for quite a while,
the configuration when those jobs that use newer compiler versions
are pinned to ubuntu-24.04 while other jobs already use ubuntu-latest,
just creates inconsistency.

When ubuntu-latest switches from ubuntu-24.04 to ubuntu-26.04, those
of ubuntu-latest jobs for which the build image wouldn't provide the
compiler would have to be pinned to ubuntu-24.04.
@ldv-alt
CI: use matrix strategy to avoid code duplication
e82a78d
@ldv-alt
CI: add clang-19 jobs to the build matrix
cc7c2cd
@ldv-alt
CI: disable persisting credentials for actions/checkout
0da9855 
Set `persist-credentials: false` for actions/checkout.

Link: https://docs.zizmor.sh/audits/#artipacked
@ldv-alt
CI: remove excessive permissions
ffd92db 
Set `permissions: {}` at the workflow level to prevent unnecessarily
granting overly broad default permissions to jobs.

Link: https://docs.zizmor.sh/audits/#excessive-permissions
@ldv-alt
CI: set concurrency limits
1d70bda 
When a new CI run is started, any in-progress CI runs for the same PR,
branch, or tag are cancelled.

Link: https://docs.zizmor.sh/audits/#concurrency-limits
@ldv-alt
CI: add job names
26632e5 
When "name:" is omitted, the workflow or action is rendered anonymously in the
GitHub Actions UI, making it harder to understand which definition is running.

Link: https://docs.zizmor.sh/audits/#anonymous-definition
@ldv-alt
CI: pin latest versions by their commit hash
da3bb6f 
This is a recommended security practice because commit hashes are immutable,
which prevents tag renaming attacks.

Dependabot can detect newer versions even if the current version is pinned to
a specific commit hash.  For GitHub Actions, it is common practice to append
a version tag name as a comment text to the commit hash, and Dependabot
automatically updates this comment when it bumps the commit hash.

Link: https://docs.zizmor.sh/audits/#unpinned-uses
@ldv-alt
.github/dependabot.yml: set cooldown period
821e696 
By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.
To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
@solardiz
Copy link
Member

solardiz commented Feb 22, 2026

Thank you very much, @ldv-alt! I see this one update required changes custom to this project.

@solardiz solardiz merged commit d8f5b01 into openwall:bleeding-jumbo Feb 22, 2026
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@solardiz solardiz solardiz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ldv-alt @solardiz