Skip to content

Security hardening Phase 3 #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeremy merged 9 commits into from
Mar 8, 2026
Merged

Security hardening Phase 3 #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
476750e
Harden GitHub Actions: remove stale SDK access, add provenance, score…
jeremy Mar 7, 2026
beb8746
Pin reusable AI workflows to latest basecamp/.github SHA
jeremy Mar 7, 2026
9a532f8
Add release environment management script
jeremy Mar 7, 2026
f18a502
Fix null handling in environment audit for repos without protection r…
jeremy Mar 8, 2026
6d7024c
Improve env script: explicit admin bypass audit, drift exit codes, po…
jeremy Mar 8, 2026
4155fe9
Fix apply: single PUT for all environment protection settings
jeremy Mar 8, 2026
a904c67
Address review feedback: clean up stale SDK access and dead code
jeremy Mar 8, 2026
63ef7f7
Fix environment script: use can_admins_bypass, not just prevent_self_…
jeremy Mar 8, 2026
7af61eb
Fix slug comparison and add continue-on-error to scorecard SARIF upload
jeremy Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ai-labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ permissions:

jobs:
classify:
uses: basecamp/.github/.github/workflows/ai-classify-pr.yml@fc560544cd2bb4e242530bde9b0d9deb7863ea45
uses: basecamp/.github/.github/workflows/ai-classify-pr.yml@0f236fea0ac36da812ff7178af3af1b4ee686c3c
with:
prompt-file: .github/prompts/classify-pr.prompt.yml
labels: "bug,enhancement,documentation"
Expand All @@ -27,7 +27,7 @@ jobs:
pull-requests: write

breaking:
uses: basecamp/.github/.github/workflows/ai-breaking-change.yml@fc560544cd2bb4e242530bde9b0d9deb7863ea45
uses: basecamp/.github/.github/workflows/ai-breaking-change.yml@0f236fea0ac36da812ff7178af3af1b4ee686c3c
with:
prompt-file: .github/prompts/detect-breaking.prompt.yml
file-patterns: |
Expand Down
47 changes: 20 additions & 27 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
tags:
- 'v*'

concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: write
id-token: write
Expand All @@ -16,8 +20,9 @@ jobs:
security:
name: Security scan
uses: ./.github/workflows/security.yml
secrets:
RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
permissions:
contents: read
security-events: write

test:
name: Test before release
Expand All @@ -26,31 +31,16 @@ jobs:
contents: read
env:
BASECAMP_NO_KEYRING: "1"
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

- name: Configure git for private modules
env:
TOKEN: ${{ steps.app-token.outputs.token }}
run: git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"

- name: Install golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with:
Expand Down Expand Up @@ -119,32 +109,27 @@ jobs:
contents: write
id-token: write
models: read
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
attestations: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Generate token for private SDK and tap access
- name: Generate token for Homebrew tap
id: sdk-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk,homebrew-tap
repositories: homebrew-tap
permission-contents: write

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

- name: Configure git for private modules
env:
TOKEN: ${{ steps.sdk-token.outputs.token }}
run: git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"

- name: Verify tag is on main
run: |
git fetch origin main
Expand Down Expand Up @@ -270,7 +255,7 @@ jobs:
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
with:
distribution: goreleaser
version: '~> v2'
version: 'v2.14.1'
install-only: true

- name: Run GoReleaser
Expand All @@ -291,6 +276,11 @@ jobs:
export RELEASE_CHANGELOG
goreleaser release --clean

- name: Attest build provenance
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
with:
subject-checksums-file: ./dist/checksums.txt

- name: Publish to AUR
env:
AUR_KEY: ${{ secrets.AUR_KEY }}
Expand Down Expand Up @@ -348,6 +338,9 @@ jobs:
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: skills
permission-contents: write
permission-pull-requests: write
permission-issues: write

- name: Sync skills to distribution repo
id: sync
Expand Down
39 changes: 39 additions & 0 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: OpenSSF Scorecard

on:
push:
branches: [main]
schedule:
- cron: '30 1 * * 6'
workflow_dispatch:

permissions: read-all

jobs:
analysis:
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: SARIF file
path: results.sarif
retention-days: 5

- uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
continue-on-error: true
with:
sarif_file: results.sarif
35 changes: 0 additions & 35 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@ on:
# Weekly scan on Monday at 6am UTC
- cron: '0 6 * * 1'
workflow_call: # Allow release.yml to invoke the full security suite
secrets:
RELEASE_APP_PRIVATE_KEY:
required: false
workflow_dispatch:

permissions:
Expand Down Expand Up @@ -64,31 +61,15 @@ jobs:
gosec:
name: Go Security Checker
runs-on: ubuntu-latest
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

- name: Configure git for private modules
env:
TOKEN: ${{ steps.app-token.outputs.token }}
run: git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"

- name: Run gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
Expand All @@ -115,30 +96,14 @@ jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
env:
GOPRIVATE: github.com/basecamp/basecamp-sdk
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Generate token for private SDK access
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
owner: basecamp
repositories: basecamp-sdk

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
with:
go-version-file: 'go.mod'

- name: Configure git for private modules
env:
TOKEN: ${{ steps.app-token.outputs.token }}
run: git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"

- name: Initialize CodeQL
uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
with:
Expand Down
Loading
Loading