Commit d3c88ad
ci: pin actions & limit token permissions (#133)
- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too
- follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md)
- specifically "Pinned Dependencies" and "Token Permissions"
- In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection
- see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
- based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕
- right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn)
Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>1 parent 3992edb commit d3c88ad
1 file changed
+7
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
3 | 7 | | |
4 | 8 | | |
5 | 9 | | |
| |||
12 | 16 | | |
13 | 17 | | |
14 | 18 | | |
15 | | - | |
| 19 | + | |
16 | 20 | | |
17 | | - | |
| 21 | + | |
18 | 22 | | |
19 | 23 | | |
20 | 24 | | |
| |||
31 | 35 | | |
32 | 36 | | |
33 | 37 | | |
34 | | - | |
| 38 | + | |
0 commit comments