Skip to content

security: SHA-pin all Actions + least-privilege workflow permissions (PER-8604, PER-8608)#2278

Merged
Shivanshu-07 merged 2 commits into
masterfrom
security/PER-8604-8608-ci-hardening
Jul 2, 2026
Merged

security: SHA-pin all Actions + least-privilege workflow permissions (PER-8604, PER-8608)#2278
Shivanshu-07 merged 2 commits into
masterfrom
security/PER-8604-8608-ci-hardening

Conversation

@Shivanshu-07

@Shivanshu-07 Shivanshu-07 commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Summary

First of several focused percy-cli security PRs. Covers the two High-severity CI/CD hardening findings (deadline 2026-06-16) and tightens the surface for PER-8610.

Ticket CWE Finding
PER-8608 CWE-829 Third-party actions pinned to mutable tags
PER-8604 CWE-732 Workflows missing permissions block (write-all GITHUB_TOKEN)

Changes

PER-8608 — SHA-pin everything: every uses: across all 11 workflows is now pinned to an immutable 40-char commit SHA (version tag preserved in a trailing comment). Pinned actions: checkout, setup-node, cache, upload-artifact, download-artifact, stale, github-script, action-regex-match, pull-request-comment-branch, gha-jobid-action, winterjung/split, trigger-workflow-and-wait, create-pull-request. (softprops/action-gh-release and the Semgrep checkout/codeql were already pinned.)

PER-8604 — least privilege: top-level permissions: contents: read on every workflow, with minimal job-level grants only where needed:

  • executable.yml (build, notify) → contents: write (upload release assets)
  • stale.ymlissues: write, pull-requests: write
  • sdk-regression.ymlstatuses: write + pull-requests: read

Re PER-8610 (issue_comment exposes token): sdk-regression.yml already gates execution on an author-permission check (only write/admin collaborators), so the trigger isn't open to arbitrary commenters; the least-privilege block here further limits what that flow's token can do.

Verification

  • All 11 workflow YAMLs parse; zero unpinned uses:; every workflow declares permissions:.
  • Action SHAs resolved live from each action's tag ref (major versions preserved; stale v6→v9 to a maintained release).

Closes PER-8604, PER-8608. Hardens PER-8610.

Remaining percy-cli findings will follow as separate focused PRs: SSRF (8614/8616), ReDoS (8615), log redaction (8609), eval/CDP injection (8607/8613), chromium integrity (8605), release-secret handling (8611/8612), and the local-server auth/CORS set (8600–8603 + chains 8626/8627).

🤖 Generated with Claude Code

…s (PER-8604, PER-8608)

PER-8608 (CWE-829) — every third-party action across all 11 workflows was
pinned to a mutable tag, allowing a hijacked/retagged action to inject code
into CI (which handles signing keys and publish tokens). Pin every `uses:` to
an immutable 40-char commit SHA (tag preserved in a trailing comment):
checkout, setup-node, cache, upload-artifact, download-artifact, stale,
github-script, action-regex-match, pull-request-comment-branch,
gha-jobid-action, winterjung/split, trigger-workflow-and-wait,
create-pull-request.

PER-8604 (CWE-732) — workflows ran with the implicit write-all GITHUB_TOKEN.
Add a top-level `permissions: contents: read` to every workflow and minimal
job-level grants only where required:
  - executable.yml (build, notify): contents: write — upload release assets
  - stale.yml: issues: write, pull-requests: write
  - sdk-regression.yml: statuses: write + pull-requests: read

Also re PER-8610: sdk-regression.yml is issue_comment-triggered but already
gates execution on an author-permission check (write/admin collaborators only);
the least-privilege block above further limits the token exposed to that flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07

Copy link
Copy Markdown
Contributor Author

Claude Code PR Review

PR: #2278Head: 34a6693Reviewers: fallback inline checklist

Summary

CI supply-chain hardening (PER-8604/8608): digest-pin the Semgrep container image, SHA-pin the two actions in executable-check.yml (checkout v5.0.0, setup-node v4.1.0), and add top-level permissions: contents: read to test.yml and windows.yml. Net change after merging master (which already carried most of the batch's pins/permissions).

Review Table

Priority Category Check Status Notes
High Security No hardcoded secrets or credentials Pass Verified: every uses: is 40-hex SHA-pinned with a version comment; the Semgrep image: is digest-pinned; each workflow has a top-level least-privilege permissions: block. This change reduces secret/token exposure — it does not introduce any.
High Security Authentication/authorization checks present N/A CI/build config, no app auth surface
High Security Input validation and sanitization N/A No user input paths changed
High Security No IDOR — resource ownership validated N/A
High Security No SQL injection (parameterized queries) N/A
High Correctness Logic is correct, handles edge cases Pass No runtime logic changed
High Correctness Error handling is explicit, no swallowed exceptions Pass Unchanged
High Correctness No race conditions or concurrency issues N/A
Medium Testing New code has corresponding tests N/A CI/pipeline config; not unit-testable
Medium Testing Error paths and edge cases tested N/A
Medium Testing Existing tests still pass (no regressions) Pass No source/test changes in net diff
Medium Performance No N+1 queries or unbounded data fetching N/A
Medium Performance Long-running tasks use background jobs N/A
Medium Quality Follows existing codebase patterns Pass Matches repo's pin/permission style
Medium Quality Changes are focused (single concern) Pass Scoped to the security hardening
Low Quality Meaningful names, no dead code Pass
Low Quality Comments explain why, not what Pass Rationale comments cite the CWE
Low Quality No unnecessary dependencies added Pass None added

Findings

No blocking findings. Verified: every uses: is 40-hex SHA-pinned with a version comment; the Semgrep image: is digest-pinned; each workflow has a top-level least-privilege permissions: block. This change reduces secret/token exposure — it does not introduce any.


Verdict: PASS

@Shivanshu-07 Shivanshu-07 merged commit 87d2b4d into master Jul 2, 2026
47 checks passed
@Shivanshu-07 Shivanshu-07 deleted the security/PER-8604-8608-ci-hardening branch July 2, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants