Skip to content

fix(ci): GitHub Actions security hardening#26

Merged
stevebeattie merged 5 commits into
chainguard-dev:mainfrom
stevebeattie:security/psec-923-terraform-aws-chainguard-account-association
Jun 30, 2026
Merged

fix(ci): GitHub Actions security hardening#26
stevebeattie merged 5 commits into
chainguard-dev:mainfrom
stevebeattie:security/psec-923-terraform-aws-chainguard-account-association

Conversation

@stevebeattie

Copy link
Copy Markdown
Member

This PR applies a set of GitHub Actions hardening fixes to the workflows in
.github/workflows/, surfaced by static analysis (zizmor / actionlint).

What this changes

  • persist-credentials: false on checkout steps (documentation.yml,
    main.yml). Neither job pushes back to the repo, so the auto-persisted
    GITHUB_TOKEN is unnecessary; leaving it in the local git config widens the
    blast radius of any later step. Explicitly opting out drops the credential
    from .git/config.
  • Least-privilege permissions on the docs workflow (documentation.yml).
    Adds a top-level permissions: {} (deny-all default) and grants the docs
    job only contents: read, which is all it needs to clone and render docs.
  • Corrected version comment on hashicorp/setup-terraform (main.yml).
    The pinned SHA's trailing comment read # 3.0.0; aligned it to the tag form
    # v3.0.0 so the pin and its human-readable annotation agree.
  • Repo-level zizmor config (.github/zizmor.yml). Adds a small config that
    disables three pedantic, cosmetic-only rules (anonymous-definition,
    undocumented-permissions, concurrency-limits) so future scans stay focused
    on substantive findings. The existing zizmor.yaml workflow's paths: trigger
    is extended to include this new file so config changes re-run the scan.
  • Dependabot coverage (.github/dependabot.yml). The workflows pin every
    external action to a commit SHA, but the repo had no dependabot config, so the
    pins had no automated freshness mechanism and were being bumped by hand. Adds
    weekly github-actions and terraform update coverage with a 3-day cooldown.
    The matching dependabot-cooldown threshold is declared in .github/zizmor.yml.

Test plan

  • zizmor .github/ — clean after these changes (the cosmetic rules above are
    suppressed via the committed config).
  • actionlint — workflows still parse with no errors.
  • terraform fmt -check / validate behavior is unchanged (only checkout and
    permissions metadata were touched, not the lint steps).

An independent review of the change set found no blocking issues.

Refs: PSEC-923

Refs: PSEC-923
Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2
Skills-Applied: artipacked
Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8
Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923
Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2
Skills-Applied: excessive-permissions
Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8
Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923
Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2
Skills-Applied: ref-version-mismatch
Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8
Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
Refs: PSEC-923
Generated-By: claude-guard chain 837cd507803cda3a0de103f703e789c2
Skills-Applied: zizmor-config
Skills-Sha: 36911d4e2f59ccbfee841f0e8d648c67358f2092fba22c4a8befb075a27dc6c8
Image-Sha: sha256:b877e51f286d9585633e2b54c4bb6859af5a4f769426bf7ea891becb96f51641
The workflows pin all external actions to commit SHAs but the repo had no
dependabot.yml, so those pins had no automated freshness mechanism and were
being bumped by hand. Add dependabot coverage for both the github-actions and
terraform ecosystems on a weekly schedule with a 3-day cooldown.

The matching dependabot-cooldown threshold (days: 3) is declared in
.github/zizmor.yml so zizmor treats the configured cooldown as sufficient.

Generated-By: claude-guard
@stevebeattie stevebeattie requested review from egibs and eslerm June 30, 2026 20:53
@stevebeattie stevebeattie enabled auto-merge (squash) June 30, 2026 20:57
@stevebeattie stevebeattie merged commit d212073 into chainguard-dev:main Jun 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants