Skip to content

ci: pin actions & limit token permissions #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 6, 2025
Merged

ci: pin actions & limit token permissions #133

merged 1 commit into from
Apr 6, 2025

Conversation

@agilgur5
Copy link
Owner

@agilgur5 agilgur5 commented Apr 6, 2025
edited
Loading

Motivation

Following the tj-actions/changed-files supply chain attack (tj-actions/changed-files#2463), figured I should harden some of my small repos too

Summary

Details

  • Add permissions: contents: read to limit GHA token permission to least privilege
  • Pin actions/checkout, actions/setup-node, and codecov/codecov-action to SHAs

Credit

With some automated help from Step Security: step-security-bot@579bdc4

Prior Art

Similar to my prior work in ryanrudolfoba/SteamOS-Waydroid-Installer#224, argoproj/argo-workflows#12031, argoproj/argo-workflows#12035, argoproj/argo-workflows#12619, etc

Future Work

@agilgur5 @step-security-bot
ci: pin actions & limit token permissions
20f38cc 
- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too

- follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md)
  - specifically "Pinned Dependencies" and "Token Permissions"

- In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection
  - see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
  - based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕
  - right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn)

Co-authored-by: StepSecurity Bot <[email protected]>
@codecov

This comment was marked as resolved.

Sign in to view
agilgur5
agilgur5 commented Apr 6, 2025
View reviewed changes
Copy link
Owner Author

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ LGTM

@agilgur5 agilgur5 merged commit d3c88ad into main Apr 6, 2025
8 checks passed
@agilgur5 agilgur5 deleted the ci-harden-actions branch April 6, 2025 19:05
Hamza65523 pushed a commit to Hamza65523/react-signature-canvas that referenced this pull request Nov 2, 2025
@agilgur5 @step-security-bot
ci: pin actions & limit token permissions (agilgur5#133)
e7e5aa1 
- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too

- follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md)
  - specifically "Pinned Dependencies" and "Token Permissions"

- In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection
  - see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
  - based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕
  - right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn)

Co-authored-by: StepSecurity Bot <[email protected]>
@agilgur5 agilgur5 added the kind: internal Changes only affect the internals and not the API or usage label Nov 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind: internal Changes only affect the internals and not the API or usage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@agilgur5