[StepSecurity] Apply security best practices#359
Merged
pboling merged 2 commits intoMay 19, 2026
Merged
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
pboling
previously approved these changes
May 19, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR applies supply-chain hardening to the repository’s GitHub Actions setup and introduces additional automated security tooling (Scorecards + pre-commit).
Changes:
- Add least-privilege
permissionsto workflows and pin GitHub Actions to commit SHAs. - Add
step-security/harden-runnerto CI workflows to audit outbound network calls. - Add new OpenSSF Scorecard workflow and a new
.pre-commit-config.yaml.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .pre-commit-config.yaml | Adds a pre-commit configuration for secret scanning and basic formatting hooks. |
| .github/workflows/windows.yml | Pins actions, adds hardened runner, and restricts token permissions for Windows CI. |
| .github/workflows/macos.yml | Pins actions, adds hardened runner, and restricts token permissions for macOS CI. |
| .github/workflows/unsupported.yml | Pins actions and adds hardened runner for unsupported Ruby matrix testing. |
| .github/workflows/unlocked_deps.yml | Pins actions and adds hardened runner for unlocked dependency testing. |
| .github/workflows/truffle.yml | Pins actions and adds hardened runner for TruffleRuby CI. |
| .github/workflows/supported.yml | Pins actions and adds hardened runner for supported Ruby matrix testing. |
| .github/workflows/style.yml | Pins actions and adds hardened runner for style checks. |
| .github/workflows/scorecards.yml | Introduces OpenSSF Scorecard analysis workflow with pinned actions and scoped permissions. |
| .github/workflows/opencollective.yml | Pins actions and adds hardened runner for the OpenCollective backers update workflow. |
| .github/workflows/locked_deps.yml | Pins actions and adds hardened runner for locked dependency testing. |
| .github/workflows/license-eye.yml | Pins actions and adds hardened runner for dependency license scanning. |
| .github/workflows/legacy.yml | Pins actions and adds hardened runner for legacy Ruby testing. |
| .github/workflows/jruby.yml | Pins actions and adds hardened runner for JRuby testing. |
| .github/workflows/heads.yml | Pins actions and adds hardened runner for “head” runtime testing. |
| .github/workflows/dependency-review.yml | Pins actions and adds hardened runner for dependency review. |
| .github/workflows/dep-heads.yml | Pins actions and adds hardened runner for runtime dependency HEAD testing. |
| .github/workflows/current.yml | Pins actions and adds hardened runner for “current” Ruby runtimes testing. |
| .github/workflows/coverage.yml | Pins actions and adds hardened runner for coverage workflow steps. |
| .github/workflows/codeql-analysis.yml | Pins CodeQL actions, adds hardened runner, and scopes workflow permissions. |
| .github/workflows/auto-assign.yml | Pins auto-assign action, adds hardened runner, and scopes workflow permissions. |
| .github/workflows/ancient.yml | Pins actions and adds hardened runner for EOL Ruby testing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: |7eter l-|. l3oling <peter.boling@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request is created by StepSecurity at the request of @pboling. Please merge the Pull Request to incorporate the requested changes. Please tag @pboling on your message if you have any questions related to the PR.
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Harden Runner
Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without
sudoaccess. See how popular open-source projects use Harden-Runner here.Harden runner usage
You can find link to view insights and policy recommendation in the build log
Please refer to documentation to find more details.
Add OpenSSF Scorecard Workflow
OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.
Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.
Maintain Code Quality with Pre-Commit
Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.
Feedback
For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io