[SECURITY] Harden GitHub Workflows & Actions#12
Merged
John McCall (lowlydba) merged 3 commits intoApr 9, 2026
Merged
Conversation
Pin GitHub Actions to specific SHAs and tighten workflow security/behavior. Key changes: - Pin multiple actions to commit SHAs (checkout, create-github-app-token, github-script, setup-python, setup-uv, semantic PR linter, sticky comment, etc.) to ensure immutable behavior. - Improve secret/input handling by exporting inputs into env vars (INPUTS_*) and using those in scripts so values can be masked safely (e.g., privateKey masking). - Add persist-credentials: false for cross-repo checkout and use env-driven Black version install to avoid leaking inputs. - Narrow job permissions and add explicit permissions where needed (pull-requests, issues, statuses, actions, security-events) with explanatory comments. - Add concurrency groups to workflows to cancel in-progress runs for the same PR/ref and set an environment for the check-linked-issue job. These changes improve reproducibility and security of the CI workflows and actions. Signed-off-by: John McCall <john@overturemaps.org>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Hardens this repo’s GitHub Actions posture by pinning external actions to immutable SHAs, tightening default/job permissions, improving secret masking behavior, and adding concurrency controls to reduce duplicate runs.
Changes:
- Pin multiple third-party actions to commit SHAs and add
persist-credentials: falsewhere appropriate. - Narrow default token permissions and set explicit job-level permissions with explanatory comments.
- Add concurrency groups and shift some input handling into env vars to improve masking/reproducibility.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-pr-title.yml | Adds concurrency, moves permissions to job-level, pins semantic PR + sticky comment actions to SHAs. |
| .github/workflows/omf_sec_checks.yml | Adds concurrency, scopes permissions per-job, pins checkout to a SHA. |
| .github/workflows/omf_pr_checks.yml | Adds concurrency, scopes permissions, pins reusable workflow + composite action references to a SHA, adds environment. |
| .github/workflows/lint-python.yml | Adds job-level permissions, disables checkout credential persistence, installs Black via env-driven version. |
| .github/actions/s5cmd/action.yml | Exports inputs into INPUTS_* env vars for safer handling in bash. |
| .github/actions/generate-schema-docs/action.yml | Pins checkout/setup-python/setup-uv to SHAs, disables credential persistence, uses env-driven output dir. |
| .github/actions/check-linked-issue/action.yml | Pins actions to SHAs and adjusts secret masking to use env-driven input. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: John McCall <john@overturemaps.org>
Signed-off-by: John McCall <john@overturemaps.org>
Alex Iannicelli (atiannicelli)
approved these changes
Apr 9, 2026
John McCall (lowlydba)
deleted the
306-devops-create-omf-ruleset-for-all-public-repos-v2
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pin GitHub Actions to specific SHAs and tighten workflow security/behavior. Key changes:
These changes improve reproducibility and security of the CI workflows and actions.
Extra
Also Fixes #10