Update GitHub Actions setup to use pinned SHAs, limited permissions#1064
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions workflows by pinning third-party actions to immutable commit SHAs and reducing the default GITHUB_TOKEN permissions, aligning with supply-chain security best practices for CI.
Changes:
- Pin GitHub Actions to specific commit SHAs (instead of floating tags).
- Set workflow-level
permissions: {}and disablepersist-credentialsfor checkout. - Update action versions used by CI and the website notification workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/website.yml | Pins peter-evans/repository-dispatch to a SHA and sets workflow permissions to none. |
| .github/workflows/ruby.yml | Pins checkout, setup-python, and setup-ruby to SHAs; disables checkout credential persistence; sets workflow permissions to none. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
I'm okay merging this into repo. |
…acks. This also updates the actions to their latest versions. I think this is especially important to do given that pushing to master on this repo would result in anyone running `bundler-audit update` on their machine getting potentially malicious code. Though I admittedly don't think that's particularly likely to lead to much (bundler-audit just parses YAML files), I'd rather be careful. Generally speaking I'd recommend pinning these to SHA hashes yourselves to make sure I can't supply a malicious SHA hash here, and you can use zizmor or pinact if you want to do it yourself instead and close this PR.
Neither of them need anything, so we can safely remove all permissions.
flavorjones
force-pushed
the
update-actions
branch
from
5126549 to
2a5d11f
Compare
Collaborator
|
@connorshea Thanks for this! I added two commits (and rebased):
|
flavorjones
force-pushed
the
update-actions
branch
from
2a5d11f to
3ce9602
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello! This PR pins all the GitHub Actions used in the repo to specific SHA hashes to prevent supply chain attacks like the one last week with actions-cool being taken over.
This also updates the actions to their latest versions, limits the permissions of both jobs to no-permissions, and ensures that credentials are not persisted with the checkout action just to be safe. I used zizmor to audit and fix all of these.
I think this is especially important to do given that an attacker managing to push to master on this repo would result in anyone running
bundler-audit updateon their machine getting potentially malicious code. Though I admittedly don't think that's particularly likely to lead to much (bundler-audit just parses YAML files as far as I know, it wouldn't result in anything being executed), I'd rather just be careful.Generally speaking I'd recommend pinning these to SHA hashes yourselves to make sure I can't supply malicious SHA hashes here, and you can use zizmor or pinact if you want to do it yourself instead and close this PR. (Obviously I didn't do that, but figured I'd mention it for the sake of security)
Updating these actions will also be necessary in a few months anyway, since the Node version used by GitHub Actions is getting bumped to Node 24.