Skip to content

CI: Harden GHA configuration #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

CI: Harden GHA configuration #33

wants to merge 5 commits into from

Conversation

tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

tacaswell added 4 commits July 17, 2025 21:02
@tacaswell
CI: pin actions by SHA
6b1eb8f 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: auto-fix via zizmor
f69e8fa 
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
@tacaswell
CI: Restrict default permissions
073c865 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: add dependabot config file for GHA
65db549
QuLogic
QuLogic reviewed Jul 22, 2025
View reviewed changes
.github/workflows/testing.yml Outdated
@@ -41,4 +44,4 @@ jobs:
coverage report

- name: Upload code coverage
uses: codecov/codecov-action@v1
uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty outdated, since it's at v5 now, but if you don't want to update it here, probably set the comment to v1.5.2 so that dependabot will update to specific versions instead of the major version.

.github/workflows/docs.yml Outdated
@@ -17,7 +21,7 @@ jobs:
run: make -Cdoc html
- name: Publish
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
uses: peaceiris/actions-gh-pages@v3
uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also outdated, but can set the comment to v3.9.3 to match the commit ref.

@tacaswell
Copy link
Member Author

I did not do any updating as part of this wave of PRs. The plan in my head was to rely on dependabot to fix that in a second pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuLogic QuLogic QuLogic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tacaswell @QuLogic