Merged
Conversation
Unfortunately, those older versions of gcc and clang are not in ubuntu-22.04
Since the default gcc version in ubuntu-latest image is not gcc9, explicitly set the compiler for gcc9 job to gcc9. Fixes: 52edebb ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest")
Since the default clang version in ubuntu-latest image is not clang10, and none of availabe ubuntu images provide clang10, remove the clang10 job. Fixes: 52edebb ("github: switch most of ubuntu-20.04 jobs to ubuntu-latest")
Given that ubuntu-latest points to ubuntu-24.04 for quite a while, the configuration when those jobs that use newer compiler versions are pinned to ubuntu-24.04 while other jobs already use ubuntu-latest, just creates inconsistency. When ubuntu-latest switches from ubuntu-24.04 to ubuntu-26.04, those of ubuntu-latest jobs for which the build image wouldn't provide the compiler would have to be pinned to ubuntu-24.04.
Set `persist-credentials: false` for actions/checkout. By default, using `actions/checkout` causes a credential to be persisted on disk. Subsequent steps may accidentally publicly persist the credential, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential on disk is non-ideal unless actually needed. Link: https://docs.zizmor.sh/audits/#artipacked
Set `permissions: {}` at the workflow level to prevent unnecessarily
granting overly broad default permissions to jobs.
Link: https://docs.zizmor.sh/audits/#excessive-permissions
When a new CI run is started, any in-progress CI runs for the same PR, branch, or tag are cancelled. Link: https://docs.zizmor.sh/audits/#concurrency-limits
When "name:" is omitted, the workflow or action is rendered anonymously in the GitHub Actions UI, making it harder to understand which definition is running. Link: https://docs.zizmor.sh/audits/#anonymous-definition
This is a recommended security practice because commit hashes are immutable, which prevents tag renaming attacks. Dependabot can detect newer versions even if the current version is pinned to a specific commit hash. For GitHub Actions, it is common practice to append a version tag name as a comment text to the commit hash, and Dependabot automatically updates this comment when it bumps the commit hash. Link: https://docs.zizmor.sh/audits/#unpinned-uses
By default, Dependabot does not perform any cooldown on dependency updates. In other words, a regularly scheduled Dependabot run may perform an update on a dependency that was just released moments before the run began. This presents both stability and supply-chain security risks. To mitigate these risks, explicitly set Dependabot cooldown period to 7 days. Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
ldv-alt
force-pushed
the
main
branch
2 times, most recently
from
aa95130 to
ef65f56
Compare
Collaborator
Author
|
Amended "use matrix strategy" commit to use "include:" syntax instead of "exclude:" as the former produces an explicit and more readable list of jobs. |
Collaborator
Author
|
GA supports a simpler one-line matrix strategy include syntax, so I've rewritten the "use matrix strategy" again. |
solardiz
approved these changes
Feb 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Miscellaneous CI updates.