Skip to content

ci: harden GitHub Actions workflows#36

Merged
flavorjones merged 7 commits into
mainfrom
harden-github-actions
Mar 20, 2026
Merged

ci: harden GitHub Actions workflows#36
flavorjones merged 7 commits into
mainfrom
harden-github-actions

Conversation

@flavorjones

@flavorjones flavorjones commented Mar 20, 2026

Copy link
Copy Markdown
Member

Summary

  • Add zizmor and actionlint CI job
  • Configure dependabot with batched updates and cooldown periods
  • Pin all GitHub Actions to SHA hashes
  • Fix template-injection, excessive-permissions, and artipacked findings
  • Scope all permissions to job-level

Test plan

  • CI passes (lint-actions job runs clean)
  • Existing test and docker-publish jobs unaffected

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings March 20, 2026 20:26
Copilot AI reviewed Mar 20, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub automation by reducing default token permissions, pinning GitHub Actions to immutable SHAs, and adding CI checks to audit workflow security and correctness.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

  • Add a dedicated CI job to run actionlint and zizmor against workflows.
  • Pin referenced GitHub Actions to specific commit SHAs and disable checkout credential persistence.
  • Add a new Dependabot configuration to group updates and control update timing.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/docker-publish.yml Applies least-privilege permissions and pins actions; adjusts tag derivation to avoid expression interpolation in shell.
.github/workflows/ci.yml Adds a workflow-auditing job and scopes permissions; pins actions used by CI.
.github/dependabot.yml Introduces grouped Dependabot updates for GitHub Actions and Bundler with scheduled cadence.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/docker-publish.yml
flavorjones and others added 5 commits March 20, 2026 16:48
@flavorjones @claude
Add zizmor and actionlint CI job for GitHub Actions auditing
590bdf9 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Configure dependabot for weekly batched updates with cooldown
5469d80 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Pin all GitHub Actions to SHA hashes via pinact
666eb29 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Fix template-injection in docker-publish workflow
7fa47d0 
Move github.event.inputs.tagInput to env var to prevent code injection
via template expansion. github.ref_name already available as GITHUB_REF_NAME.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Fix excessive-permissions and artipacked findings
88c6b12 
Set permissions: {} at workflow level and scope per-job permissions.
Add persist-credentials: false to all checkout steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones flavorjones force-pushed the harden-github-actions branch from 6df0344 to 88c6b12 Compare March 20, 2026 20:48
@flavorjones @claude
Validate Docker tag input to prevent output-file injection
f15e080 
Add validation that the version tag matches [A-Za-z0-9_.-]{1,128}
before writing to $GITHUB_OUTPUT, preventing newline injection or
invalid Docker tags from workflow_dispatch input.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 20, 2026 20:56
Copilot AI reviewed Mar 20, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/docker-publish.yml Outdated
@flavorjones @claude
Tighten Docker tag validation regex
6f6f39a 
First character must be [A-Za-z0-9_] per Docker tag spec.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones flavorjones merged commit 77b24d6 into main Mar 20, 2026
5 checks passed
@flavorjones flavorjones deleted the harden-github-actions branch March 20, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flavorjones