security hygiene on actions

[adhami3310]

No description provided.

[codspeed-hq]

Merging this PR will not alter performance

✅ 24 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing security-hygiene-on-actions (989827a) with main (b156d87)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[greptile-apps]

Greptile Summary

This PR hardens the security posture of all GitHub Actions workflows in the repository. Workflow-level permissions are reduced to contents: read and elevated permissions are scoped only to the specific jobs that need them (release jobs). The persist-credentials: false option is added to every actions/checkout call so the GITHUB_TOKEN is never stored in the git credential helper. Additional improvements include fixing concurrency group fallbacks for non-PR runs, removing PR_TITLE from workflow env vars, tightening the tag parsing regex in parse_tag.sh, using an officially-pinned oven-sh/setup-bun instead of a hardcoded bun path, and adding fail-on-severity: high to dependency review.

• Least-privilege permissions: auto_release_internal.yml, dispatch_release.yml, and publish.yml now define contents: write/actions: write only on the release job, not at the workflow level.
• Credential hygiene: persist-credentials: false is added to every actions/checkout across all 15 workflow files.
• Concurrency group fix: Workflows that run on both pull_request and push events now fall back to github.sha when github.event.pull_request.id is absent.

Confidence Score: 5/5

All changes are security hardening with no behavioral regressions; release scripts use the gh CLI via GH_TOKEN env var and are unaffected by persist-credentials: false.

Every checkout now drops git credentials after clone, write permissions are confined to the exact jobs that create releases or dispatch workflows, the concurrency-group fix prevents non-PR pushes from clobbering each other, and PR_TITLE is scrubbed from the environment. The release scripts were verified to use gh release create (GH_TOKEN env) rather than git push, so removing stored git credentials causes no breakage.

No files require special attention. All changes are mechanical and consistently applied across the 15 workflow files.

Important Files Changed

Filename	Overview
.github/scripts/publish/parse_tag.sh	Tightens tag regex to restrict package and version to safe character sets, preventing injection via crafted release tag names.
.github/workflows/auto_release_internal.yml	Workflow-level permissions reduced to contents: read; write permissions moved to the release job only; persist-credentials: false added to all checkouts.
.github/workflows/dispatch_release.yml	Workflow-level permissions reduced to contents: read; contents: write/actions: write scoped to release job only; all checkout steps get persist-credentials: false; gate warning comment improved.
.github/workflows/publish.yml	Adds workflow-level contents: read; the publish job retains id-token: write via its own job-level permissions for OIDC-based PyPI publishing; persist-credentials: false added.
.github/workflows/integration_tests.yml	Removes PR_TITLE env var (untrusted PR author input), adds persist-credentials: false to all checkouts, and fixes concurrency group fallback to github.sha for non-PR runs.
.github/workflows/dependency-review.yml	Adds fail-on-severity: high to dependency-review-action and persist-credentials: false to checkout.
.github/workflows/check_outdated_dependencies.yml	Replaces hardcoded bun binary path with official oven-sh/setup-bun action; adds persist-credentials: false; quotes Python version string.
.github/workflows/reflex_init_in_docker_test.yml	Fixes docker run volume mount quoting and concurrency group fallback; adds persist-credentials: false.
.github/workflows/performance.yml	Removes PR_TITLE env var and adds persist-credentials: false to both checkout steps.
.github/workflows/pre-commit.yml	Adds persist-credentials: false to both checkout steps, fixes concurrency group, quotes Python version, and adds explanatory comment for the double-checkout pattern.
.github/workflows/build_packages.yml	Adds persist-credentials: false to both checkout steps and quotes the Python version string.
.github/workflows/check_node_latest.yml	Adds persist-credentials: false and quotes Python version string.
.github/workflows/codeql.yml	Adds persist-credentials: false to the checkout step.
.github/workflows/integration_app_harness.yml	Fixes concurrency group fallback to github.sha for non-PR runs and adds persist-credentials: false to both checkout steps.
.github/workflows/unit_tests.yml	Fixes concurrency group fallback to github.sha and adds persist-credentials: false to all checkout steps.

_{Reviews (1): Last reviewed commit: "security hygiene on actions" | Re-trigger Greptile}