Skip to content

CI: Harden GHA configuration #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

CI: Harden GHA configuration #104

wants to merge 6 commits into from

Conversation

tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

tacaswell added 5 commits July 17, 2025 20:56
@tacaswell
CI: pin actions by SHA
4592095 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: pin actions by SHA
e8e3014 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: auto-fix via zizmor
cf9cf71 
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
@tacaswell
CI: Restrict default permissions
6345345 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: add dependabot config file for GHA
2e5b728
QuLogic
QuLogic reviewed Jul 22, 2025
View reviewed changes
.github/workflows/circleci.yml
@@ -27,15 +27,19 @@ jobs:
name: Post warnings/errors as review
steps:
- uses: actions/checkout@v3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not pinning this one to a commit?

.github/workflows/release.yml
@@ -14,6 +16,7 @@ jobs:
- uses: actions/checkout@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also not pinned to a commit.

.github/workflows/release.yml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the actions are pinned to commit in this file.

.github/workflows/reviewdog.yml Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the actions are pinned to commits here.

@tacaswell @QuLogic
CI: update version string
4c0fd47 
Co-authored-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
@tacaswell
Copy link
Member Author

The tool I used to ID what needed to be pinned (zizmor) does not flag actions/XYZ.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuLogic QuLogic QuLogic left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tacaswell @QuLogic