Skip to content

ci(security): pin fork-ci actions to commit SHAs#62

Open
MoltyCel wants to merge 1 commit into
mainfrom
ci/harden-fork-ci
Open

ci(security): pin fork-ci actions to commit SHAs#62
MoltyCel wants to merge 1 commit into
mainfrom
ci/harden-fork-ci

Conversation

@MoltyCel
Copy link
Copy Markdown
Owner

@MoltyCel MoltyCel commented May 22, 2026

What

Hardens .github/workflows/fork-ci.yml:

  1. Pin actions to commit SHAs — all 12 uses: of actions/checkout
    and actions/setup-python were on mutable major tags (@v4 / @v5).
    A retagged or compromised action would have executed in CI. Pinned to
    the immutable SHA each tag currently resolves to; the tag is kept as a
    trailing # v4 / # v5 comment for readability and Dependabot.
  2. Minimal permissions — removed security-events: write from the
    workflow permissions: block. No job uploads SARIF (bandit runs
    informational-only to stdout), so the grant was dead. Permissions are
    now just contents: read.

Notes

🤖 Generated with Claude Code

@claude
ci(security): pin fork-ci actions to commit SHAs
e713bd3 
Tag refs (actions/checkout@v4, actions/setup-python@v5) are mutable —
a retagged or compromised action would execute in CI. Pin both to the
immutable commit SHA the major tag currently resolves to, with the tag
kept as a trailing comment for readability and Dependabot updates.

Also drops `security-events: write` from the workflow permissions
block: no job uploads SARIF (bandit runs informational-only to
stdout), so the grant was unused. Permissions are now the minimal
`contents: read`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MoltyCel MoltyCel mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MoltyCel