Harden and improve GitHub Actions workflows#702
Merged
Conversation
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
d12499c to
299c66c
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
299c66c to
07a1a43
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
07a1a43 to
1c08ca0
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
1c08ca0 to
4ab569e
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
4ab569e to
e8d7851
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
e8d7851 to
a9fbcf0
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
a9fbcf0 to
7215969
Compare
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
7215969 to
3ec4f33
Compare
mcbenjemaa
approved these changes
Apr 9, 2026
Member
mcbenjemaa
left a comment
mcbenjemaa
left a comment
There was a problem hiding this comment.
LGTM,
If we don't need that GITHUB_TOKEN in the Sonar Action?
Collaborator
Author
|
I put it back into draft mode because I still need to test a few things (particularly dependabot and external contributor PRs). Plus, I need to fix SonarQube config. |
Remove branch filters from pull_request/pull_request_target triggers so that CI runs for PRs opened against any branch (e.g. WIP branches like v1alpha3/wip). Restrict push triggers to main only to avoid duplicate runs when pushing to branches with open PRs. Co-authored-by: Claude <noreply@anthropic.com>
Rework triggers: push only fires on v* tags (no longer on branch pushes), pull_request fires on all PRs with no branch filter. Previously branch pushes to main/release-* would build and push images to GHCR; now only tag releases do. PRs still build the image for validation without pushing. Co-authored-by: Claude <noreply@anthropic.com>
Add a concurrency group keyed by PR number (or commit SHA for push events) with cancel-in-progress. Placed at job level so the old run continues until the new run passes its environment approval gate, then gets cancelled. Co-authored-by: Claude <noreply@anthropic.com>
Replace ${{ env.* }} expression interpolation with quoted shell
variable expansion to prevent potential command injection via
environment variables.
Co-authored-by: Claude <noreply@anthropic.com>
The sonarqube-scan-action only requires SONAR_TOKEN for authentication. GITHUB_TOKEN is not used by the action. Co-authored-by: Claude <noreply@anthropic.com>
wikkyk
force-pushed
the
claude/review-github-workflows-2i3Hc
branch
from
aa99b2e to
ade227b
Compare
|
There was a problem hiding this comment.
Pull request overview
This PR hardens CAPMOX’s GitHub Actions workflows by reducing default token permissions, avoiding unsafe expression interpolation in shell commands, and improving CI ergonomics (trigger behavior, image publishing rules, and e2e run cancellation).
Changes:
- Add explicit least-privilege
permissionsblocks across workflows and dropGITHUB_TOKENfrom Sonar scan env. - Replace
${{ env.* }}interpolation inrun:commands with quoted shell variable expansion. - Adjust CI behavior: broader PR triggering, tag-only image pushes, and job-level e2e concurrency cancellation.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test.yml | Removes PR branch filter, adds minimal permissions, and removes GITHUB_TOKEN from Sonar steps. |
| .github/workflows/release.yml | Hardens make invocation to use quoted shell variable expansion for RELEASE_VERSION. |
| .github/workflows/e2e.yml | Removes PR-target branch filter, adds minimal permissions, adds concurrency cancellation, and hardens GINKGO_SKIP passing. |
| .github/workflows/container-image.yaml | Removes branch filters from triggers and reduces contents permission to read while keeping GHCR publishing. |
| .github/workflows/codespell.yml | Adds minimal contents: read permissions. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes:
A few simple tweaks to improve resilience and ergonomics of our actions.
Hardening:
${{ env.* }}interpolation with quoted shell variable expansion (interpolation happens before the expression is passed to shell, potentially allowing command injection)Ergonomics:
Testing performed:
actionlint + CodeQL analyze actions
Tested triggers, e2e labels, concurrency