Skip to content

CI: Harden GHA configuration #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

CI: Harden GHA configuration #243

wants to merge 8 commits into from
+13 −2

Conversation

tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

tacaswell added 4 commits July 17, 2025 21:02
@tacaswell
CI: pin actions by SHA
e3b1431 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: auto-fix via zizmor
cb712eb 
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
@tacaswell
CI: Restrict default permissions
03e2714 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: add dependabot config file for GHA
340947c
dopplershift
dopplershift requested changes Jul 18, 2025
View reviewed changes
dopplershift
dopplershift reviewed Jul 18, 2025
View reviewed changes
@tacaswell
Copy link
Member Author

I don't think either of those failures is due to this change, but I'm not 100% sure on that.

Cadair
Cadair approved these changes Jul 22, 2025
View reviewed changes
.github/dependabot.yml Outdated
- package-ecosystem: "github-actions"
directory: "/" # Location of your workflow files
schedule:
interval: "weekly" # Options: daily, weekly, monthly
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we monthly? The repo isn't super active and I have so many bot PRs to review these days. 😅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll change it to monthly, although if your actions don't change much faster than that it does not super matter.

I'm not super worried about what the cadence is, but I would like there to be some process to make sure that the actions are kept up to date.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For sure, definitely want the update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dopplershift dopplershift dopplershift requested changes

@Cadair Cadair Cadair approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tacaswell @dopplershift @Cadair