ci(spellcheck): pin misspell + add least-privilege permissions#1450
Open
bmehta001 wants to merge 1 commit into
Open
ci(spellcheck): pin misspell + add least-privilege permissions#1450bmehta001 wants to merge 1 commit into
bmehta001 wants to merge 1 commit into
Conversation
Three hardening fixes for .github/workflows/spellcheck.yml, ported from the same audit applied to the sister modules repo: 1. Add top-level 'permissions: contents: read'. Without an explicit block, the GITHUB_TOKEN inherits the repo default (typically read+write across most APIs), which is far more than misspell needs. misspell only walks .md/.txt/lib/tests files and prints typos to stdout; it never comments on PRs, posts statuses, or writes packages. This also satisfies CodeQL rule 'actions/missing-workflow-permissions' if Actions analysis is enabled here later (it isn't in the current codeql-analysis.yml matrix, but no reason to wait for that). 2. Replace the unpinned bootstrap install with a pinned tarball download. The prior 'curl https://git.io/misspell | sh' pattern executed a shell script from the master branch of an external repo via a git.io redirect — a supply-chain risk that also made CI non-reproducible. Now we download a specific release artifact (v0.3.4) directly from GitHub releases. 3. Verify the tarball SHA256 against the published checksum 'afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5' (linux_64bit). Any tampering or unexpected upstream change will fail CI rather than silently execute. Scope of misspell unchanged: still scans .md, .txt, examples/**, all of lib/ (excluding json.hpp), and tests/**. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens the spellcheck workflow with three security-focused fixes: pins misspell to v0.3.4 with SHA256 verification (replacing an unpinned curl | sh bootstrap), and adds a least-privilege permissions block scoping GITHUB_TOKEN to contents: read.
Changes:
- Add top-level
permissions: { contents: read }block to scopeGITHUB_TOKEN. - Replace
curl https://git.io/misspell | shwith a pinned release tarball download from GitHub releases. - Verify the tarball SHA256 against the upstream-published checksum before extraction.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens
.github/workflows/spellcheck.ymlwith the same three fixes already landed in the sister modules repo (microsoft/cpp_client_telemetry_modules#320, commitsf596201+7540eec+8d26e48):GITHUB_TOKEN— adds a top-levelpermissions: { contents: read }block. Without it, the workflow inherits the repo default (read+write on most APIs); misspell only needs to walk.md/.txt/lib/testsfiles. Also forward-compatible with enablingactionsanalysis incodeql-analysis.ymllater (it would immediately flagactions/missing-workflow-permissionsotherwise — that rule is what surfaced the same issue on the modules side).curl https://git.io/misspell | shbootstrap (executes a shell script frommasterof an external repo via a redirect — supply-chain risk + non-reproducible) with a direct download of a specific release artifact from GitHub releases.afd95caf1eecc72ff382791e00b3b11523a20b0579d95e2295c1c043688743d5(linux_64bit). Any tampering or unexpected upstream change fails CI rather than silently executing.Scope of misspell unchanged: still scans
.md,.txt,examples/**, all oflib/(excludingjson.hpp), andtests/**. The fix is purely the install + permissions layer.Why now
GHAS in this repo doesn't currently scan workflow files (the
codeql-analysis.ymlmatrix is[cpp, javascript, python]+java— noactionslanguage), so this gap wasn't surfaced as a security alert. The audit on modules revealed it by analogy; small enough to fix proactively.Validation
The misspell workflow will run on this PR automatically (push trigger). On the modules-side equivalent commit, the same workflow passed first try.
Bump procedure (for posterity)
To bump misspell: download the new tarball + checksum from
https://github.com/client9/misspell/releases, updateMISSPELL_VERSIONandMISSPELL_SHA256in this workflow.