Summary
Reference: PR #5889 implements these changes.
This issue tracks the need to harden the GitHub Actions workflows in this repository to follow security best practices for CI/CD pipelines.
Problem
The current GitHub Actions workflows have two security gaps:
-
Mutable action tags: Several workflows reference actions using mutable version
tags (e.g., actions/checkout@v5) ( so as other dependencies tag (opening another PR soon) ). These tags can be silently re-pointed to different, potentially malicious, commits without any indication to consumers.
-
Credentials persisted in checkout: Multiple workflow steps using actions/checkout do not explicitly set persist-credentials: false, meaning the GitHub token is retained in the git config after checkout. This unnecessarily exposes credentials to subsequent steps.
-
Overly broad PR trigger events: Some workflows (e.g., pr-golangci-lint and pr-verify) were triggered on pull_request_target or on the edited event type, which can expose workflows to unintended execution or privilege escalation risks.
Proposed Solution
- Pin actions to full commit SHAs instead of mutable tags (e.g.,
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v5), ensuring
immutability and auditability.
- Add
persist-credentials: false to all actions/checkout steps where downstream
steps do not require Git authentication.
- Replace
pull_request_target with pull_request in the pr-verify workflow and
remove the edited event type from relevant workflow triggers.
Affected Workflows
.github/workflows/build-ami-varsfile.yml.github/workflows/build-ami.yml.github/workflows/codeql-analysis.yml.github/workflows/dependabot.yml.github/workflows/md-link-checker.yml.github/workflows/pr-golangci-lint.yaml.github/workflows/pr-verify.yml.github/workflows/release.yaml.github/workflows/scan.yml
References
Supporting Articles
https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html
https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
Summary
Reference: PR #5889 implements these changes.
This issue tracks the need to harden the GitHub Actions workflows in this repository to follow security best practices for CI/CD pipelines.
Problem
The current GitHub Actions workflows have two security gaps:
Mutable action tags: Several workflows reference actions using mutable version
tags (e.g.,
actions/checkout@v5) ( so as other dependencies tag (opening another PR soon) ). These tags can be silently re-pointed to different, potentially malicious, commits without any indication to consumers.Credentials persisted in checkout: Multiple workflow steps using
actions/checkoutdo not explicitly setpersist-credentials: false, meaning the GitHub token is retained in the git config after checkout. This unnecessarily exposes credentials to subsequent steps.Overly broad PR trigger events: Some workflows (e.g.,
pr-golangci-lintandpr-verify) were triggered onpull_request_targetor on theeditedevent type, which can expose workflows to unintended execution or privilege escalation risks.Proposed Solution
actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v5), ensuringimmutability and auditability.
persist-credentials: falseto allactions/checkoutsteps where downstreamsteps do not require Git authentication.
pull_request_targetwithpull_requestin thepr-verifyworkflow andremove the
editedevent type from relevant workflow triggers.Affected Workflows
.github/workflows/build-ami-varsfile.yml.github/workflows/build-ami.yml.github/workflows/codeql-analysis.yml.github/workflows/dependabot.yml.github/workflows/md-link-checker.yml.github/workflows/pr-golangci-lint.yaml.github/workflows/pr-verify.yml.github/workflows/release.yaml.github/workflows/scan.ymlReferences
Supporting Articles
https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html
https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/