Harden CI workflows#1252
Merged
Merged
Conversation
Signed-off-by: Tamal Saha <tamal@appscode.com>
- Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha <tamal@appscode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tighten the GitHub Actions workflows in this repo so they no longer depend on a long-lived
LGTM_GITHUB_TOKENPAT, and bring them in line with GitHub's hardening guidance.GITHUB_TOKENinstead of a PAT for in-repo operations.GITHUB_USERswitches togithub.actor.GITHUB_TOKENto least privilege at the job level.release-tracker.ymlgetscontents: writeso the token can push commits/tags back to this repo.@v4can't be silently re-pointed.fetch-depth: 1+fetch-tags: trueso the tag ref resolves without a full clone.actions/checkout@v1to@v4.3.1where it appeared.Test plan
release-trackercontinues to push commits/tags on PR close.release.ymlstill functions on the next tag.🤖 Generated with Claude Code