ci: pin actions to SHAs and harden workflows#204
Merged
Conversation
## What Pin all GitHub Actions to full commit SHAs (with version comments) and apply baseline security hardening from the gha-standards skill across both workflows. ## Why Floating tag references (e.g. @v6) can be re-pointed if a maintainer account is compromised. SHA pinning prevents supply-chain swaps. The accompanying hardening (workflow-level permissions:{}, job-scoped permissions with justification, harden-runner egress monitoring, persist-credentials:false on checkout, PR-aware concurrency) applies least-privilege defaults. ## Notes - harden-runner is set to egress-policy: audit, not block. It will report unexpected network calls but not fail the build. Switch to block only after reviewing a few audit runs. - contributors.yml omits a concurrency block intentionally — it's schedule/workflow_dispatch only, where concurrent runs are not a concern. - ci.yml's concurrency uses github.head_ref || github.ref so PRs each get their own group, and cancel-in-progress only fires on pull_request events so post-submit push runs aren't interrupted. - permissions:{} at workflow level is deny-all. New jobs added later without their own permissions: block will have no token scopes — reviewers should watch for that. - contributors.yml's job has discussions:write but no contents:read. The create-discussion step reads ./contributors.md generated by the prior contributors step in the same workspace, so no checkout is needed — worth a watch on the next scheduled run. Signed-off-by: jmeridth <jmeridth@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Tightens GitHub Actions security posture by reducing default token permissions, pinning third-party actions to immutable SHAs, and adding basic runner hardening/concurrency controls.
Changes:
- Set workflow-level
permissions: {}and move required permissions to job scope. - Pin actions to commit SHAs and add
step-security/harden-runnerwithegress-policy: audit. - Add workflow
concurrencyto reduce duplicate CI runs on PR updates.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/contributors.yml | Pins actions, adds runner hardening, and scopes discussion write permission to the job. |
| .github/workflows/ci.yml | Adds concurrency, scopes permissions to the lint job, hardens runner, and pins checkout/setup-node actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pin all GitHub Actions to full commit SHAs (with version comments) and apply baseline security hardening across both workflows.
Why
Floating tag references (e.g.
@v6) can be re-pointed if a maintainer account is compromised. SHA pinning prevents supply-chain swaps. The accompanying hardening (workflow-levelpermissions: {}, job-scoped permissions with justification,harden-runneregress monitoring,persist-credentials: falseon checkout, PR-aware concurrency) applies least-privilege defaults.Notes
harden-runneris set toegress-policy: audit, notblock. It will report unexpected network calls in the run summary but will not fail the build. Switch toblockonly after reviewing a few audit runs to confirm the allowlist.contributors.ymlomits a concurrency block intentionally — it'sschedule/workflow_dispatchonly, where concurrent runs are not a concern.ci.yml's concurrency usesgithub.head_ref || github.refso each PR gets its own group, andcancel-in-progressonly fires onpull_requestevents so post-submitpushruns aren't interrupted.permissions: {}at workflow level is deny-all. New jobs added later without their ownpermissions:block will have no token scopes — reviewers should watch for that.contributors.yml's job hasdiscussions: writebut nocontents: read. Thecreate-discussionstep reads./contributors.mdproduced by the priorcontributorsstep in the same workspace, so no checkout is needed — worth a watch on the next scheduled run.Testing
npm test(markdownlint + prettier) passes locally.yaml.safe_load.ci.ymlend-to-end.contributors.ymlruns on a monthly schedule; cannot be exercised pre-merge. First scheduled run after merge is the real validation — recommend watching the next month's run for anyharden-runneregress-audit warnings or permission failures from the restructured job scope.