Pin GitHub Actions to commit SHAs and scope workflow permissions

[marcelomagina]

Types of changes

Chore (CI security hardening)

Description of the proposed changes

Hardens the new-post.yml workflow based on a zizmor static analysis of the repo's GitHub Actions:

• Pin internal composite actions to a commit SHA. read-blog-post-content and notify-of-new-blog-post-to-review were referenced via the mutable @master ref of loadsmart/github-actions. Anyone able to push to that repo's master (or a compromise of it) would flow straight into this workflow with the repo token. Both are now pinned to a commit SHA with a # master comment for readability.
• Pin and upgrade actions/checkout. Was @v2 (unpinned + outdated); now pinned to the v4.2.2 commit SHA, with persist-credentials: false so the token isn't left on disk.
• Scope job permissions. The notify-if-blog-post job ran with the default (broad) GITHUB_TOKEN; it only needs contents: read, which is now set explicitly.

After these changes zizmor reports no findings for this workflow.

Screenshots

N/A — CI configuration change only.

Summary by CodeRabbit

• Chores
  • Enhanced workflow configuration with improved security permissions and updated action versions for better maintainability and reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: loadsmart/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dc883ed7-6658-47d1-a2fb-b06445181c3f

📥 Commits

Reviewing files that changed from the base of the PR and between 88a5c3d and 6ba8f19.

📒 Files selected for processing (1)

• .github/workflows/new-post.yml

---

Walkthrough

The PR updates the notify-if-blog-post workflow job by adding an explicit permissions block granting contents: read and replacing unpinned GitHub Action versions with specific commit SHA pinnings. The actions/checkout@v2 reference is updated to v4.2.2, and custom loadsmart action references are pinned from @master to commit SHAs.

Changes

Workflow Security and Reproducibility

Layer / File(s)	Summary
GitHub Actions permissions and version pinning .github/workflows/new-post.yml	Job-level permissions: contents: read block added and action references pinned to commit SHAs (actions/checkout v4.2.2 and custom loadsmart actions) instead of version tags or @master.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

security-change

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security hardening changes: pinning GitHub Actions to commit SHAs and adding explicit workflow permissions scoping.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/pin-actions-and-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for loadsmart-engineering ready!

Name	Link
🔨 Latest commit	6ba8f19
🔍 Latest deploy log	https://app.netlify.com/projects/loadsmart-engineering/deploys/6a18a88fd1166700082c79b1
😎 Deploy Preview	https://deploy-preview-79--loadsmart-engineering.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 0

[rodsenra]

lgtm. Thanks for the attentive work @marcelomagina