Skip to content

ci: harden GitHub Actions (SHA-pin + Dependabot)#99

Open
fredespi wants to merge 2 commits into
mainfrom
ci-harden-actions
Open

ci: harden GitHub Actions (SHA-pin + Dependabot)#99
fredespi wants to merge 2 commits into
mainfrom
ci-harden-actions

Conversation

@fredespi

Copy link
Copy Markdown
Collaborator

Summary

  • SHA-pin all remaining tag-referenced actions across ci.yml, nightly.yml, release.yml (each with a # vX.Y.Z comment).
  • Add .github/dependabot.yml (github-actions, weekly) so the pins stay current.

Why

Mutable action tags (@v6, @v1) can be hijacked — a force-moved tag would run attacker code on our runners, including the self-hosted GPU boxes. Immutable commit SHAs close that supply-chain vector; Dependabot keeps them from going stale.

Actions pinned

Action SHA Version
actions/checkout df4cb1c069e1874edd31b4311f1884172cec0e10 v6.0.3
actions/cache caa296126883cff596d87d8935842f9db880ef25 v5.1.0
actions-rust-lang/setup-rust-toolchain 166cdcfd11aee3cb47222f9ddb555ce30ddb9659 v1.17.0
dtolnay/rust-toolchain c0e9df88980754dd93e5833b8dcb1b304c1fe173 1.96.0

(dorny/paths-filter, taiki-e/install-action, j178/prek-action were already SHA-pinned.)

Related hardening already applied to repo settings (not in this diff)

  • Default GITHUB_TOKEN permissions: write → read
  • GitHub Actions can create/approve PRs: true → false
  • Fork-PR workflow approval: confirmed required for all external contributors

Follow-up (deliberately NOT in this PR)

  • Enable repo setting sha_pinning_required only after this merges and other open branches are rebased onto the pinned main — otherwise GitHub rejects runs on any ref whose workflows still reference tags.
  • Optional: narrow allowed_actions from all to selected.

Test plan

  • actionlint clean (aside from pre-existing self-hosted runner labels + one pre-existing shellcheck style nit)
  • No remaining tag-based uses: refs in any workflow or composite action
  • CI green on this PR

fredespi added 2 commits July 10, 2026 15:50
Pin the remaining tag-referenced actions (checkout, cache, setup-rust-toolchain,
dtolnay/rust-toolchain) to full commit SHAs with a trailing version comment. Tags
are mutable, so a hijacked tag would run attacker code on the runners — including
the self-hosted GPU boxes. SHAs are immutable and close that supply-chain vector.

Signed-off-by: fredespi <fredrik.espinoza@gmail.com>
Keep the newly SHA-pinned actions current: Dependabot reads the version from each
`uses:` trailing comment and opens weekly PRs bumping the SHA when a new release
lands, so pinning for supply-chain safety does not mean going stale.

Signed-off-by: fredespi <fredrik.espinoza@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant