Skip to content

Security: Pin action SHAs and add explicit permissions #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CybotTM wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Security: Pin action SHAs and add explicit permissions #72

CybotTM wants to merge 2 commits into from

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Dec 19, 2025

Summary

This PR addresses GitHub Advanced Security alerts by implementing security best practices for GitHub Actions workflows:

  • Add explicit permissions: blocks to all workflows (using contents: read as minimum)
  • Pin all GitHub Actions to full commit SHAs instead of version tags
  • Include version comments for easier future updates

Changes

Modified Workflows

  1. ci.yml

    • Added permissions: contents: read at workflow level
    • Pinned actions/checkout@v6actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
    • Pinned shivammathur/setup-php@v2shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a (v2.33.0)
    • Pinned actions/cache@v5actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a (v4.2.0)

  2. publish-to-ter.yml

    • Added permissions: contents: read at workflow level
    • Pinned actions/checkout@v6actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
    • Pinned shivammathur/setup-php@v2shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a (v2.33.0)

  3. auto-merge-deps.yml

    • Already has explicit permissions (no changes needed)
    • Uses gh CLI only (no third-party actions to pin)

Security Benefits

  1. Explicit Permissions: Following the principle of least privilege, workflows now explicitly declare minimum required permissions
  2. SHA Pinning: Protects against supply chain attacks by preventing automatic updates to potentially compromised action versions
  3. Auditability: Full SHAs with version comments make it clear exactly which version is in use

Testing

The changes are purely security-related and do not modify workflow functionality. The same action versions are used, just referenced by immutable SHA instead of mutable tag.

@CybotTM
Security: Pin action SHAs and add explicit permissions
fba8eb5 
- Add explicit permissions blocks to all workflows (contents: read)
- Pin actions/checkout to SHA 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
- Pin shivammathur/setup-php to SHA cf4cade2721270509d5b1c766ab3549210a39a2a (v2.33.0)
- Pin actions/cache to SHA 6849a6489940f00c2f30c0fb92c6274307ccb58a (v4.2.0)

These changes address GitHub Advanced Security alerts by:
1. Following principle of least privilege with explicit permissions
2. Preventing supply chain attacks via SHA pinning
3. Maintaining version comments for easier updates
@CybotTM
fix: Update actions/cache to v5.0.1
08ce8f8 
- actions/cache: v5.0.1 @ 9255dc7a253b0ccc959486e2bca901246202afeb

Fixes deprecated cache action version that was causing workflow failures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM