Skip to content

ci: pin actions & limit token permissions #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 6, 2025
Merged

ci: pin actions & limit token permissions #133

merged 1 commit into from
Apr 6, 2025

Conversation

agilgur5
Copy link
Owner

@agilgur5 agilgur5 commented Apr 6, 2025
edited
Loading

Motivation

Following the tj-actions/changed-files supply chain attack (tj-actions/changed-files#2463), figured I should harden some of my small repos too

Summary

Details

  • Add permissions: contents: read to limit GHA token permission to least privilege
  • Pin actions/checkout, actions/setup-node, and codecov/codecov-action to SHAs

Credit

With some automated help from Step Security: step-security-bot@579bdc4

Prior Art

Similar to my prior work in ryanrudolfoba/SteamOS-Waydroid-Installer#224, argoproj/argo-workflows#12031, argoproj/argo-workflows#12035, argoproj/argo-workflows#12619, etc

Future Work

@agilgur5 @step-security-bot
ci: pin actions & limit token permissions
20f38cc 
- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too

- follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md)
  - specifically "Pinned Dependencies" and "Token Permissions"

- In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection
  - see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
  - based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕
  - right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn)

Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
@codecov Codecov

This comment was marked as resolved.

Sign in to view
agilgur5
agilgur5 commented Apr 6, 2025
View reviewed changes
Copy link
Owner Author

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM

@agilgur5 agilgur5 merged commit d3c88ad into main Apr 6, 2025
8 checks passed
@agilgur5 agilgur5 deleted the ci-harden-actions branch April 6, 2025 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@agilgur5