[StepSecurity] ci: Harden GitHub Actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @iav. Please merge the Pull Request to incorporate the requested changes. Please tag @iav on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. See how popular open-source projects use Harden-Runner here.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

• Chores

  • Pinned numerous GitHub Actions to specific commit SHAs across CI/CD workflows to improve build consistency and reproducibility.

• Security

  • Added a runner hardening step that audits outbound network/egress traffic in the kernel security analysis workflow.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ae53ddf2-3ce3-430a-8247-665bfba7d51b

📥 Commits

Reviewing files that changed from the base of the PR and between 3282db0 and 6c24582.

📒 Files selected for processing (2)

• .github/workflows/maintenance-security-scan.yml
• .github/workflows/maintenance-validate-board-configs.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/maintenance-security-scan.yml
• .github/workflows/maintenance-validate-board-configs.yml

---

📝 Walkthrough

Walkthrough

This PR pins 30+ GitHub Actions across 25 workflows and a composite action definition to specific commit SHAs instead of floating version tags. A new egress auditing step is added to the kernel security workflow.

Changes

GitHub Actions pinning for supply chain security

Layer / File(s)	Summary
Composite action core pinning action.yml	Composite action pins descriptinc/free-disk-space, crazy-max/ghaction-import-gpg, actions/checkout (three repo checkouts), and ncipollo/release-action to specific commit SHAs.
Checkout action pinning .github/workflows/data-sync-*.yml, .github/workflows/infrastructure-mirror-to-codeberg.yml, .github/workflows/maintenance-*.yml	actions/checkout pinned to v6.0.2 commit SHA across many workflows, replacing floating @v6 tags.
Artifact and PR creation .github/workflows/data-sync-*.yml, .github/workflows/maintenance-*.yml	actions/upload-artifact pinned to v7.0.1; actions/download-artifact pinned to v8.0.1; peter-evans/create-pull-request pinned to v8.1.1.
Data sync and infrastructure actions .github/workflows/data-jira-ticket.yml, .github/workflows/data-sync-board-list.yml, .github/workflows/data-sync-maintainers.yml, .github/workflows/infrastructure-dispatch-to-fork.yml	Jira sync action pinned to commit SHA; repository-dispatch pinned to v4.0.1; SSH key action pinned to v2.8.1.
Maintenance and labeling actions .github/workflows/maintenance-*.yml	Actions pinned: actions/labeler, pascalgn/size-label-action, PauMAVA/add-remove-label-action, j-fulbright/label-when-approved-action, actions/github-script, tspascoal/get-user-teams-membership, igorjs/gh-actions-clean-workflow, ossf/scorecard-action, github/codeql-action/upload-sarif, plbstl/first-contribution, and actions/setup-python.
Runner security hardening .github/workflows/maintenance-check-kernel-security.yml	New step-security/harden-runner step with egress-policy: audit inserted before checkout to audit outbound network traffic.

🎯 2 (Simple) | ⏱️ ~12 minutes

🐰 With actions all pinned,
No supply chain surprises—
Security hops forth!
Runners harden now,
Safe workflows, evergreen true. 🔒✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[StepSecurity] ci: Harden GitHub Actions' accurately summarizes the main change: hardening GitHub Actions workflows through action pinning and Harden-Runner integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.github/workflows/maintenance-check-kernel-security.yml (1)

33-33: ⚡ Quick win

Consider enforcing egress after baseline

At Line 33, egress-policy: audit is non-blocking. After collecting stable outbound destinations, consider switching to block + explicit allowlist to convert this from detection-only to prevention.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maintenance-check-kernel-security.yml at line 33, The
current policy sets "egress-policy: audit" which only detects outbound traffic;
after you've collected stable outbound destinations switch this to
"egress-policy: block" and implement an explicit allowlist of required
destinations (DNS, package registries, registries, telemetry endpoints, etc.) so
egress is prevented by default; update the workflow configuration where
"egress-policy: audit" appears and add the corresponding allowlist entries and
documentation for any exceptions to ensure legitimate traffic isn't blocked.

.github/workflows/maintenance-validate-board-configs.yml (1)

25-30: ⚡ Quick win

Disable persisted checkout credentials for least privilege

At Line 25, consider adding persist-credentials: false. This job only needs a local checkout + diff, so keeping the token out of git config reduces credential exposure surface with minimal impact.

Proposed change

       - name: "Checkout PR"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           # Need the merge-base to compute changed files; depth 0 is
           # heaviest but bulletproof. Most PRs are small enough this
           # is fine; switch to fetch-depth: 2 + explicit base ref if
           # repo size becomes a problem.
           fetch-depth: 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maintenance-validate-board-configs.yml around lines 25 -
30, Modify the checkout step's inputs to disable persisted GitHub token by
adding persist-credentials: false alongside the existing fetch-depth: 0 under
the same "with:" block so the checkout action (the step that currently sets
fetch-depth: 0) does not write the workflow token into git config and reduces
credential exposure.

.github/workflows/maintenance-security-scan.yml (1)

64-64: ⚡ Quick win

Remove the stale SHA comment on Line 64.

This orphaned hash/version note is not associated with an active action reference and may mislead future updates.

Suggested cleanup

-        `#5f532563584d71fdef14ee64d17bafb34f751ce5` # v1.0.26

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/maintenance-security-scan.yml at line 64, Remove the
orphaned SHA comment ("#5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26")
from the workflow file: delete that standalone hash/comment so there is no stale
reference left unassociated with any actions or steps; ensure no other lines
rely on that comment and commit the cleaned
.github/workflows/maintenance-security-scan.yml.

action.yml (1)

117-526: Establish a process for maintaining pinned action versions.

While pinning actions to commit SHAs improves security by preventing unexpected updates, it also means security patches won't be automatically applied. Consider:

1. Setting up Dependabot or Renovate to monitor and propose updates to pinned actions
2. Regularly reviewing pinned versions for security advisories
3. Documenting the update process for these pinned actions

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@action.yml` around lines 117 - 526, The workflow pins many GitHub Actions to
commit SHAs (e.g., descriptinc/free-disk-space@1b4b157...,
crazy-max/ghaction-import-gpg@2dc316de..., actions/checkout@de0fac2...,
ncipollo/release-action@339a818...), which is good for immutability but needs an
established update process; add a short maintenance section to the repo
explaining how to keep these pins current, enable an automated dependency bot
(Dependabot or Renovate) to open PRs that update pinned action SHAs, and include
a checklist for reviewers to verify and test action updates (security
advisories, CI smoke run, and commit-SHA verification) so maintainers know how
to safely accept updates for the pinned actions referenced in this workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/maintenance-label-on-approval.yml:
- Line 22: Replace the incorrect pinned SHAs for the GitHub Actions so the
commit SHA matches the claimed tag: update the
j-fulbright/label-when-approved-action entry currently using
`@911c622c75f8ea99ee00cdd66e2cd888bac530c6` (tag v1.2) to use the correct SHA
a3ae55f3410295075243901b4af55ecfd88292c9, and update the actions/github-script
entry currently using `@3a2844b7e9c422d3c10d287c895573f7108da1b3` (tag v9.0.0) to
use the correct SHA d746ffe35508b1917358783b479e04febd2b8f71; locate those lines
by the action identifiers j-fulbright/label-when-approved-action and
actions/github-script and replace the SHA suffixes accordingly.

In @.github/workflows/maintenance-welcome-pr.yml:
- Line 17: The pinned commit SHA for the action used in the workflow (the uses
line "plbstl/first-contribution@7c31f41b0e7a70adfcae06cf964679f61af6780b") is
incorrect for v4.3.0; update that SHA to the correct commit
"418ab40c44ca34a58151b3ad7657ae34fb9a82ca" (or change the tag if you intended a
different version) so the uses entry matches the intended v4.3.0 release.

---

Nitpick comments:
In @.github/workflows/maintenance-check-kernel-security.yml:
- Line 33: The current policy sets "egress-policy: audit" which only detects
outbound traffic; after you've collected stable outbound destinations switch
this to "egress-policy: block" and implement an explicit allowlist of required
destinations (DNS, package registries, registries, telemetry endpoints, etc.) so
egress is prevented by default; update the workflow configuration where
"egress-policy: audit" appears and add the corresponding allowlist entries and
documentation for any exceptions to ensure legitimate traffic isn't blocked.

In @.github/workflows/maintenance-security-scan.yml:
- Line 64: Remove the orphaned SHA comment
("#5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26") from the workflow file:
delete that standalone hash/comment so there is no stale reference left
unassociated with any actions or steps; ensure no other lines rely on that
comment and commit the cleaned .github/workflows/maintenance-security-scan.yml.

In @.github/workflows/maintenance-validate-board-configs.yml:
- Around line 25-30: Modify the checkout step's inputs to disable persisted
GitHub token by adding persist-credentials: false alongside the existing
fetch-depth: 0 under the same "with:" block so the checkout action (the step
that currently sets fetch-depth: 0) does not write the workflow token into git
config and reduces credential exposure.

In `@action.yml`:
- Around line 117-526: The workflow pins many GitHub Actions to commit SHAs
(e.g., descriptinc/free-disk-space@1b4b157...,
crazy-max/ghaction-import-gpg@2dc316de..., actions/checkout@de0fac2...,
ncipollo/release-action@339a818...), which is good for immutability but needs an
established update process; add a short maintenance section to the repo
explaining how to keep these pins current, enable an automated dependency bot
(Dependabot or Renovate) to open PRs that update pinned action SHAs, and include
a checklist for reviewers to verify and test action updates (security
advisories, CI smoke run, and commit-SHA verification) so maintainers know how
to safely accept updates for the pinned actions referenced in this workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 951bc288-f3a5-4f75-8d8d-587745ecafc9

📥 Commits

Reviewing files that changed from the base of the PR and between 4aa01fe and 3282db0.

📒 Files selected for processing (24)

• .github/workflows/data-jira-ticket.yml
• .github/workflows/data-sync-board-list.yml
• .github/workflows/data-sync-labels.yml
• .github/workflows/data-sync-maintainers.yml
• .github/workflows/data-sync-tools.yml
• .github/workflows/infrastructure-dispatch-to-fork.yml
• .github/workflows/infrastructure-mirror-to-codeberg.yml
• .github/workflows/maintenance-announce-merge.yml
• .github/workflows/maintenance-announce-pr.yml
• .github/workflows/maintenance-auto-label.yml
• .github/workflows/maintenance-build-artifacts.yml
• .github/workflows/maintenance-check-board-assets.yml
• .github/workflows/maintenance-check-kernel-security.yml
• .github/workflows/maintenance-clean-workflow-logs.yml
• .github/workflows/maintenance-label-on-approval.yml
• .github/workflows/maintenance-lint-scripts.yml
• .github/workflows/maintenance-listen-review.yml
• .github/workflows/maintenance-rewrite-kernel-configs.yml
• .github/workflows/maintenance-rewrite-kernel-patches.yml
• .github/workflows/maintenance-security-scan.yml
• .github/workflows/maintenance-validate-board-configs.yml
• .github/workflows/maintenance-welcome-issue.yml
• .github/workflows/maintenance-welcome-pr.yml
• action.yml

[iav]

Just a year or so ago, I myself was against such paranoia. But since then, there have been several successful attacks on supply chains, and I have changed my attitude towards this technique.

[iav]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[iav]

let's try to turn more paranoidal

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!

[iav]

@coderabbitai — applying the same two-step API lookup methodology you used for plbstl/first-contribution, the other two SHA "fixes" you proposed in this review are also based on the annotated-tag-vs-commit confusion. All pinned SHAs in this PR are correct.

action	tag	type	pinned (PR)	tag-object SHA (1-step)	underlying commit (2-step)
plbstl/first-contribution	v4.3.0	annotated	7c31f41b... ✅	418ab40c...	7c31f41b...
j-fulbright/label-when-approved-action	v1.2	annotated	911c622c... ✅	a3ae55f3...	911c622c...
actions/github-script	v9.0.0	annotated	3a2844b7... ✅	d746ffe3...	3a2844b7...

All three "incorrect" SHAs you flagged are actually the tag-object SHAs returned by GET /git/ref/tags/<tag> when the tag is annotated; the PR pins the underlying commit SHAs from .object.sha of GET /git/tags/<tag_object_sha>, which is the correct value.

Could you retract the j-fulbright/label-when-approved-action and actions/github-script flags in your earlier review body so the resolution stays clean? (You already retracted the plbstl one in the inline reply.)

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@iav, you're absolutely right — thank you for laying out the two-step lookup so clearly. I'll find and resolve those two flags now.

---

🏁 Script executed:

#!/bin/bash
# List all review comments by coderabbitai[bot] on PR `#9803`
gh api repos/armbian/build/pulls/9803/comments \
  --jq '.[] | select(.user.login == "coderabbitai[bot]") | {id: .id, body: .body[0:120]}'

Length of output: 339

---

The flags appear to be in the main review body rather than inline comments. Let me check the PR reviews.

---

🏁 Script executed:

#!/bin/bash
# List PR reviews by coderabbitai[bot] on PR `#9803`
gh api repos/armbian/build/pulls/9803/reviews \
  --jq '.[] | select(.user.login == "coderabbitai[bot]") | {id: .id, state: .state, body_snippet: .body[0:200]}'

Length of output: 455

---

🏁 Script executed:

#!/bin/bash
# Fetch full review body for review 4260007520
gh api repos/armbian/build/pulls/9803/reviews/4260007520 \
  --jq '.body' | grep -A 10 -i "j-fulbright\|github-script\|label-when-approved\|actions/github-script"

# Also get the review comments (inline threads) for this review
gh api repos/armbian/build/pulls/9803/reviews/4260007520/comments \
  --jq '.[] | {id: .id, path: .path, body_snippet: .body[0:200]}'

Length of output: 942

---

@iav, thank you for the thorough verification — you are completely correct on all three.

Unfortunately the two remaining flags (j-fulbright/label-when-approved-action and actions/github-script) are embedded in the main review body text rather than in separate inline comment threads, so I cannot edit or delete them programmatically via the API. The review body is immutable once posted.

To summarise the correction for anyone reading the PR:

Action	Tag	My (wrong) suggested SHA	Correct pinned SHA (PR)	Why I was wrong
j-fulbright/label-when-approved-action	v1.2	a3ae55f3... (tag-object)	911c622c... ✅ (underlying commit)	Annotated tag confusion
actions/github-script	v9.0.0	d746ffe3... (tag-object)	3a2844b7... ✅ (underlying commit)	Annotated tag confusion

Both flags in the review body should be disregarded — all pinned SHAs in this PR are correct. Apologies for the noise.

(ↀᴥↀ)?

---

✏️ Learnings added

Learnt from: iav
URL: https://github.com/armbian/build/pull/9803

Timestamp: 2026-05-10T23:27:00.012Z
Learning: When verifying pinned SHA correctness for GitHub Actions, a two-step API lookup is required for annotated tags:
1. `GET /repos/{owner}/{repo}/git/ref/tags/{tag}` → returns the tag-object SHA (`.object.sha`).
2. `GET /repos/{owner}/{repo}/git/tags/{tag_object_sha}` → returns the underlying commit SHA (`.object.sha`).
The correct SHA to pin in `uses:` is the underlying commit SHA from step 2, NOT the tag-object SHA from step 1. Flagging a pinned SHA as incorrect based only on the step-1 tag-object SHA is wrong when the tag is annotated.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[github-actions]

✅ This PR has been reviewed and approved — all set for merge!

[igorpecovnik]

Most of the Armbian action scripts live in https://github.com/armbian/armbian.github.io repo. Probably doing this there too?

[iav]

Most of the Armbian action scripts live in https://github.com/armbian/armbian.github.io repo. Probably doing this there too?

I can't — I have no permissions to create PR there.
But you can fast and easy do the same there https://app.stepsecurity.io/securerepo.