Skip to content

ci: harden GitHub Actions workflows#2645

Merged
flavorjones merged 9 commits intomainfrom
flavorjones/harden-github-actions
Mar 18, 2026
Merged

ci: harden GitHub Actions workflows#2645
flavorjones merged 9 commits intomainfrom
flavorjones/harden-github-actions

Conversation

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Mar 2, 2026
edited
Loading

Summary

Hardening the GitHub Actions workflows per recommendations from `zizmor` and `pinact`:

  • Pin all actions to commit SHAs to prevent supply chain attacks via mutable version tags
  • Batch Dependabot action updates into a single grouped PR rather than one per action
  • Scope broad permissions to jobs in `publish-image.yml` — `packages: write`, `id-token: write`, and `attestations: write` were at the workflow level; now scoped to the jobs that need them (`attestations: write` only on the `build` job)
  • Disable credential persistence after checkout in all workflows that don't need it; `dependabot-sync-saas-lockfile.yml` retains credentials with a comment explaining why (it does a `git push`)
  • Fix template injection in `publish-image.yml` by routing `steps.meta.outputs.tags` through `env:` variables before shell interpolation
  • Suppress `secrets-outside-env` in `test.yml` with a comment — the secret is a `workflow_call` input and this workflow never runs on PRs, so a GitHub Environment would be inappropriate
  • Add a `zizmor` CI job to `ci-checks.yml` so future workflow changes are automatically audited on every PR

Copilot AI review requested due to automatic review settings March 2, 2026 17:22
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions workflows against supply-chain and credential exposure risks by pinning third-party actions and reducing token persistence, plus addressing an expression-to-shell interpolation risk in the image publishing workflow.

Changes:

  • Pin GitHub Actions uses: references to specific commit SHAs (instead of mutable tags).
  • Set persist-credentials: false on actions/checkout steps to reduce token exposure.
  • Avoid direct ${{ ... }} interpolation into bash in publish-image.yml by passing step outputs via env:.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/test.yml Pins checkout/setup-ruby actions and disables persisted checkout credentials.
.github/workflows/publish-image.yml Pins Docker/GitHub actions, disables persisted checkout credentials, and routes metadata output through env to avoid expression injection into bash.
.github/workflows/dependabot-sync-saas-lockfile.yml Pins actions and disables persisted checkout credentials (but this workflow also pushes commits).
.github/workflows/ci-checks.yml Pins checkout/setup-ruby actions and disables persisted checkout credentials across jobs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@flavorjones
ci: pin github actions
463f289 
using `pinact`
@flavorjones flavorjones force-pushed the flavorjones/harden-github-actions branch from cb22554 to 469c656 Compare March 17, 2026 21:19
@flavorjones flavorjones force-pushed the flavorjones/harden-github-actions branch from 469c656 to e0c1855 Compare March 17, 2026 21:41
@flavorjones flavorjones requested a review from Copilot March 17, 2026 21:43
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@flavorjones flavorjones force-pushed the flavorjones/harden-github-actions branch from e881e11 to 5813827 Compare March 17, 2026 21:57
@flavorjones flavorjones requested a review from Copilot March 17, 2026 21:57
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@flavorjones flavorjones force-pushed the flavorjones/harden-github-actions branch from 5813827 to fa12aca Compare March 17, 2026 22:08
@flavorjones flavorjones requested a review from Copilot March 17, 2026 22:08
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@flavorjones flavorjones merged commit 01d1af9 into main Mar 18, 2026
14 checks passed
@flavorjones flavorjones deleted the flavorjones/harden-github-actions branch March 18, 2026 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flavorjones