Skip to content

fix: harden the action#4

Merged
dgellow merged 1 commit intostainless-api:mainfrom
MarshallOfSound:sam/harden-action
Apr 17, 2026
Merged

fix: harden the action#4
dgellow merged 1 commit intostainless-api:mainfrom
MarshallOfSound:sam/harden-action

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Contributor

@MarshallOfSound MarshallOfSound commented Apr 11, 2026

A few defence-in-depth improvements, nothing here is actively being exploited but these close off some sharp edges.

Token handling (index.js)

  • Register the retrieved token with core.setSecret so Actions masks it in logs before it's written as an output
  • Drop the console.log('API Response', data) call — data includes the token
  • Trim raw response bodies out of thrown error messages
  • Throw explicitly if the response has no token instead of returning undefined

Workflows

  • update-main-version.yml: pass workflow_dispatch inputs through env vars rather than interpolating directly into run: (avoids shell expansion of the target input)
  • Pin all third-party actions to a SHA (via pinact)
  • Add explicit permissions: blocks (read by default, write only where a job pushes)
  • yarn install --frozen-lockfile in CI
  • persist-credentials: false on the lint checkout

Runtime

  • Bump action.yml from node16 (EOL) to node20

Verified with zizmor — 0 high findings remain. The two residual medium artipacked warnings are on checkouts that intentionally keep credentials to push back.

@MarshallOfSound
fix: harden the action
934939f 
- Mask the retrieved GitHub token with core.setSecret so it is redacted in logs
- Stop logging the raw API response (contained the token)
- Drop raw response body from error messages
- Pass workflow_dispatch inputs via env vars instead of interpolating into shell
- Pin all actions to SHA (via pinact)
- Add least-privilege permissions blocks to workflows
- Use yarn install --frozen-lockfile in CI
- Set persist-credentials: false on read-only checkout
- Bump action runtime from node16 (EOL) to node20
@dgellow
Copy link
Copy Markdown
Member

dgellow commented Apr 17, 2026

Hi @MarshallOfSound, thanks for the PR!

@dgellow dgellow merged commit 7b247e8 into stainless-api:main Apr 17, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarshallOfSound @dgellow