Security hardening: pin action versions and add permissions#30
Open
wadewilliams wants to merge 1 commit into
Open
Security hardening: pin action versions and add permissions#30wadewilliams wants to merge 1 commit into
wadewilliams wants to merge 1 commit into
Conversation
Mitigates the class of attack used by tj-actions/changed-files (CVE-2025-30066) and the Shai-Hulud npm worm family, both of which exploit mutable action references and over-scoped GITHUB_TOKEN. - Pin every third-party action to a full commit SHA with a version comment. Replaces floating tag refs (@v4, @v5, etc.) and the branch ref flowcanon/deploy-action@master, which previously gave any push to that branch immediate access to DEPLOY_SSH_KEY, GHCR write, and prod host vars. - Add top-level "permissions: contents: read" to both workflows and grant write scopes explicitly per-job (release, build_release, build_and_deploy) so GITHUB_TOKEN is least-privilege by default. - Add step-security/harden-runner in audit mode on the deploy job to surface unexpected egress (the tj-actions exfiltration vector). - Pin poetry to a specific version instead of pulling latest from PyPI on every CI run. - Add Dependabot config for github-actions and pip so pinned SHAs stay current via PRs instead of going stale.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the security posture of the GitHub Actions workflows by pinning all action versions to specific commit SHAs with version tags, adding explicit permission declarations, and introducing automated dependency management via Dependabot.
Key Changes
Action Version Pinning: Updated all GitHub Actions to use full commit SHAs instead of version tags:
actions/checkout@v4→ pinned to v4.2.2actions/setup-python@v5→ pinned to v5.6.0docker/login-action@v3→ pinned to v3.7.0docker/metadata-action@v5→ pinned to v5.10.0docker/build-push-action@v6→ pinned to v6.19.2softprops/action-gh-release@v2→ pinned to v2.6.2flowcanon/release-builder/pipeline@v3→ pinned to specific commitflowcanon/deploy-action@master→ pinned to specific commitExplicit Permissions: Added
permissionsblocks to workflows:ci.ymlandrelease.ymlDependency Management: Added
.github/dependabot.ymlto enable automated updates for:Security Hardening: Added
step-security/harden-runner@v2.19.1to the publish job with audit-mode egress policyDependency Pinning: Pinned Poetry to version 1.8.5 in CI workflows for reproducible builds
Notable Details
All action version pins include comments indicating the version tag for maintainability. Dependabot will help keep these pinned versions up-to-date automatically while maintaining the security benefits of explicit version control.
https://claude.ai/code/session_01CW4Eaqpq5bR2r6mqwVKmHf