Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: hexpm/hex
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: maennchen/hex
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 5 commits
  • 3 files changed
  • 1 contributor

Commits on Feb 25, 2026

  1. Add explicit permissions to CI workflow 

    Restrict workflow permissions to read-only content access following
GitHub security best practices.
    @maennchen
    maennchen committed Feb 25, 2026
    Configuration menu
    Copy the full SHA
    ac78963 View commit details
    Browse the repository at this point in the history

  2. Pin GitHub Actions to commit SHAs 

    Replace mutable version tags with immutable commit hashes for
actions/checkout and erlef/setup-beam to prevent supply chain attacks.
    @maennchen
    maennchen committed Feb 25, 2026
    Configuration menu
    Copy the full SHA
    240beea View commit details
    Browse the repository at this point in the history

  3. Add Dependabot for GitHub Actions updates 

    Configure weekly automated dependency updates for GitHub Actions
to keep pinned action versions current.
    @maennchen
    maennchen committed Feb 25, 2026
    Configuration menu
    Copy the full SHA
    334b898 View commit details
    Browse the repository at this point in the history

  4. Disable credential persistence in checkout actions 

    Prevent GitHub token from being stored in the local git config
to mitigate the artipacked vulnerability.

See: https://docs.zizmor.sh/audits/#artipacked
    @maennchen
    maennchen committed Feb 25, 2026
    Configuration menu
    Copy the full SHA
    c04b22e View commit details
    Browse the repository at this point in the history

  5. Add CodeQL and Zizmor security scanning workflows 

    Add CodeQL for static analysis of GitHub Actions and Zizmor for
workflow security auditing. Runs on push, PR, and weekly schedule.
    @maennchen
    maennchen committed Feb 25, 2026
    Configuration menu
    Copy the full SHA
    5579961 View commit details
    Browse the repository at this point in the history
Loading