Skip to content

Security hardening for public release #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeremy merged 6 commits into from
Feb 27, 2026
Merged

Security hardening for public release #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f011721
Reject authority keys from untrusted config sources
jeremy Feb 27, 2026
9734ec6
Enforce HTTPS for non-localhost URLs and harden OAuth flow
jeremy Feb 27, 2026
7f5c431
Strip terminal escape sequences from API-sourced output
jeremy Feb 27, 2026
0721e7c
SHA-pin all GitHub Actions and harden CI supply chain
jeremy Feb 27, 2026
1b02364
Harden credential storage, config writes, and trace scrubbing
jeremy Feb 27, 2026
f567320
Address PR review feedback: config lockout, OAuth logging, temp cleanup
jeremy Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,21 +25,21 @@ jobs:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand Down Expand Up @@ -82,21 +82,21 @@ jobs:
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Generate token for private SDK access
id: sdk-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand Down Expand Up @@ -136,26 +136,26 @@ jobs:
fi

- name: Install Cosign
uses: sigstore/cosign-installer@v3
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3

- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
with:
distribution: goreleaser
version: '~> v2'
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

Expand All @@ -38,10 +38,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Run Trivy vulnerability scanner (filesystem)
uses: aquasecurity/trivy-action@0.34.1
uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
with:
scan-type: 'fs'
scan-ref: '.'
Expand All @@ -52,7 +52,7 @@ jobs:
output: 'trivy-results.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
Expand All @@ -65,19 +65,19 @@ jobs:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand All @@ -90,7 +90,7 @@ jobs:
gosec -no-fail -fmt sarif -out gosec-results.sarif ./...

- name: Upload gosec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
Expand All @@ -104,5 +104,5 @@ jobs:
if: github.event_name == 'pull_request'
continue-on-error: true # Requires GitHub Advanced Security (not available on all plans)
steps:
- uses: actions/checkout@v6
- uses: actions/dependency-review-action@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4
48 changes: 24 additions & 24 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,19 @@ jobs:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand Down Expand Up @@ -57,27 +57,27 @@ jobs:
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

- name: Configure git for private modules
run: git config --global url."https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/".insteadOf "https://github.com/"

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
version: v2.9.0

Expand All @@ -87,19 +87,19 @@ jobs:
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand All @@ -120,19 +120,19 @@ jobs:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand All @@ -149,19 +149,19 @@ jobs:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand All @@ -170,7 +170,7 @@ jobs:

- name: Cache BATS
id: cache-bats
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
with:
path: /usr/local/libexec/bats-core
key: bats-1.11.0
Expand All @@ -193,13 +193,13 @@ jobs:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 2

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
Expand All @@ -208,7 +208,7 @@ jobs:

- name: Check for benchmark-relevant changes
id: filter
uses: dorny/paths-filter@v3
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
with:
filters: |
bench:
Expand All @@ -221,7 +221,7 @@ jobs:

- name: Set up Go
if: steps.filter.outputs.bench == 'true'
uses: actions/setup-go@v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

Expand All @@ -235,7 +235,7 @@ jobs:

- name: Download previous benchmark baseline
if: steps.filter.outputs.bench == 'true'
uses: actions/cache/restore@v5
uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
with:
path: benchmarks-baseline.txt
key: benchmarks-baseline-${{ github.sha }}
Expand Down Expand Up @@ -269,14 +269,14 @@ jobs:

- name: Cache benchmark baseline
if: steps.filter.outputs.bench == 'true'
uses: actions/cache/save@v5
uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
with:
path: benchmarks-baseline.txt
key: benchmarks-baseline-${{ github.sha }}

- name: Upload benchmark results
if: steps.filter.outputs.bench == 'true'
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: benchmarks
path: benchmarks.txt
Expand Down
8 changes: 5 additions & 3 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@ require (
github.com/charmbracelet/glamour v0.10.0
github.com/charmbracelet/huh v0.8.0
github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
github.com/charmbracelet/x/ansi v0.10.1
github.com/charmbracelet/x/term v0.2.1
github.com/fsnotify/fsnotify v1.8.0
github.com/gofrs/flock v0.13.0
github.com/mattn/go-runewidth v0.0.16
github.com/mattn/go-runewidth v0.0.19
github.com/spf13/cobra v1.10.2
github.com/stretchr/testify v1.11.1
github.com/zalando/go-keyring v0.2.6
Expand All @@ -30,10 +31,11 @@ require (
github.com/aymerick/douceur v0.2.0 // indirect
github.com/catppuccin/go v0.3.0 // indirect
github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
github.com/charmbracelet/x/ansi v0.10.1 // indirect
github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
github.com/charmbracelet/x/exp/slice v0.0.0-20250327172914-2fdc97757edf // indirect
github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
github.com/clipperhouse/stringish v0.1.1 // indirect
github.com/clipperhouse/uax29/v2 v2.5.0 // indirect
github.com/danieljoos/wincred v1.2.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dlclark/regexp2 v1.11.0 // indirect
Expand All @@ -44,7 +46,7 @@ require (
github.com/gorilla/css v1.0.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-localereader v0.0.1 // indirect
github.com/microcosm-cc/bluemonday v1.0.27 // indirect
Expand Down
Loading
Loading