Skip to content

CI: Harden GHA configuration #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

CI: Harden GHA configuration #102

wants to merge 8 commits into from

Conversation

tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

tacaswell added 7 commits July 17, 2025 21:01
@tacaswell
CI: pin actions by SHA
1658516 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: pin actions by SHA
662d2b2 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: auto-fix via zizmor
036f09c 
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
@tacaswell
CI: Restrict default permissions
a6db1fc 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: Restrict default permissions
391a4de 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: set permissions
0a5023c
@tacaswell
CI: add dependabot config file for GHA
ddd5ecb
QuLogic
QuLogic reviewed Jul 22, 2025
View reviewed changes
.github/workflows/main.yaml
@@ -5,8 +5,13 @@ on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write

steps:
- uses: actions/checkout@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not pinned.

.github/workflows/codeql.yml Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No actions are pinned in this file.

@tacaswell
Copy link
Member Author

The tool I used to find un-pinned actions (zizmor) does not flag the "official" action/xyz actions.

I suspect the logic is if someone manages to compromise GH there are more direct ways to cause trouble than funny side-band attacks via GHA.

@tacaswell @QuLogic
DOC: update version label
bd38cd9 
Co-authored-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
@QuLogic
Copy link
Member

QuLogic commented Jul 24, 2025

I think you need to run with the pedantic persona to catch those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuLogic QuLogic QuLogic left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tacaswell @QuLogic