Skip to content

Commit 7f7bc2a

Browse files
authored
fix(ci): GitHub Actions security hardening (#95)
Automated GitHub Actions security hardening (zizmor + actionlint + shellcheck, plus manual review). Workflow-config only — no application code is touched. ## Changes - **Scope down checkout credentials** — `persist-credentials: false` on the build checkout. The job (setup-go, golangci-lint, make) does no downstream git writes, so leaving the checkout token in `.git/config` is unnecessary exposure. - **Replace workflow-level `read-all` with least privilege** — the blanket `read-all` permission becomes `permissions: {}` at the workflow level, with the specific scopes granted on the job that needs them (the SARIF upload path is preserved). - **Add a zizmor config + dependabot cooldown** — a `.github/zizmor.yml` disabling a few cosmetic pedantic rules, plus a 3-day cooldown on each dependabot ecosystem so brand-new (and potentially compromised) dependency releases aren't pulled the instant they ship. Refs: PSEC-923
1 parent cd7ff1f commit 7f7bc2a

5 files changed

Lines changed: 23 additions & 1 deletion

File tree

.github/dependabot.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ updates:
77
schedule:
88
interval: daily
99
open-pull-requests-limit: 5
10+
cooldown:
11+
default-days: 3
1012
groups:
1113
all:
1214
update-types:
@@ -18,6 +20,8 @@ updates:
1820
schedule:
1921
interval: daily
2022
open-pull-requests-limit: 5
23+
cooldown:
24+
default-days: 3
2125
groups:
2226
all:
2327
update-types:

.github/workflows/build.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ jobs:
2323
egress-policy: audit
2424

2525
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
with:
27+
persist-credentials: false
2628

2729
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2830
with:

.github/workflows/scorecard.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ on:
66
push:
77
branches: ["main"]
88

9-
permissions: read-all
9+
permissions: {}
1010

1111
jobs:
1212
analysis:

.github/workflows/zizmor.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,15 @@ on:
99
paths:
1010
- '.github/workflows/**'
1111
- '.github/actions/**'
12+
- '.github/dependabot.yaml'
13+
- '.github/zizmor.yml'
1214
push:
1315
branches: ['main']
1416
paths:
1517
- '.github/workflows/**'
1618
- '.github/actions/**'
19+
- '.github/dependabot.yaml'
20+
- '.github/zizmor.yml'
1721

1822
permissions: {}
1923

.github/zizmor.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
rules:
2+
# Paired with `cooldown.default-days: 3` in .github/dependabot.yaml.
3+
dependabot-cooldown:
4+
config:
5+
days: 3
6+
# Cosmetic pedantic-only findings — suppressed across the campaign.
7+
anonymous-definition:
8+
disable: true
9+
undocumented-permissions:
10+
disable: true
11+
concurrency-limits:
12+
disable: true

0 commit comments

Comments
 (0)