Skip to content

[StepSecurity] ci: Harden GitHub Actions #5729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[StepSecurity] ci: Harden GitHub Actions #5729

wants to merge 1 commit into from

Conversation

step-security-bot
Copy link

Summary

This pull request is created by StepSecurity at the request of @arr00. Please merge the Pull Request to incorporate the requested changes. Please tag @arr00 on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

@step-security-bot
[StepSecurity] ci: Harden GitHub Actions
73ae8cf 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 9, 2025

⚠️ No Changeset found

Latest commit: 73ae8cf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ernestognw ernestognw closed this Jun 9, 2025
@ernestognw ernestognw reopened this Jun 9, 2025
arr00
arr00 reviewed Jun 9, 2025
View reviewed changes
.github/workflows/release-cycle.yml
Comment on lines +23 to +24
permissions:
contents: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ernestognw is this ok?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove if not

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know about this particular line (permissions/contents)

for the rest, I'm not a big fan of obscure hashes vs version tag.

  • we would need to check that the tags correct and don't point to anything malicious (unlikelly)
  • maintenance is more difficult
  • maintenance has to be done more frequently (we may miss on security patch)

Overall not really in favor of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Amxx Amxx Amxx left review comments

@arr00 arr00 arr00 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@step-security-bot @Amxx @arr00 @ernestognw