Harden CI lint workflow (supply-chain, untrusted clone, least privilege)#4242
Open
imed91-lab wants to merge 2 commits into
Open
Harden CI lint workflow (supply-chain, untrusted clone, least privilege)#4242imed91-lab wants to merge 2 commits into
imed91-lab wants to merge 2 commits into
Conversation
- Pin awesome-lint to a fixed version (supply-chain) - Isolate untrusted clone: disable git hooks, --no-tags, shallow - Validate the extracted URL (only https://github.com/owner/repo) - Add least-privilege permissions (contents: read) - Pin actions/checkout to commit SHA (v6) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Skil6ixx
reviewed
Jun 7, 2026
| lint: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 |
|
hi can you send me your WhatsApp number |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This hardens the PR-lint CI, which clones and lints contributor-supplied (untrusted) repositories.
Changes
awesome-lintto a fixed version instead ofnpx awesome-lint(avoids pulling an arbitrary/compromised release at CI time).git clonewithcore.hooksPath=/dev/null(no hooks executed),--no-tags,--depth 1, andGIT_ALLOW_PROTOCOL=https.https://github.com/owner/repobefore cloning.permissions: contents: read.actions/checkoutto a commit SHA (df4cb1c…, v6).Notes
The job runs on
pull_request(notpull_request_target), so secrets are not exposed; the residual risk addressed here is arbitrary code execution on the runner via a malicious contributor repo. No behavior change for legitimate list submissions.🤖 Generated with Claude Code