Skip to content

[SECURITY] Harden GitHub workflows#35

Merged
John McCall (lowlydba) merged 8 commits intomainfrom
306-devops-create-omf-ruleset-for-all-public-repos
Apr 8, 2026
Merged

[SECURITY] Harden GitHub workflows#35
John McCall (lowlydba) merged 8 commits intomainfrom
306-devops-create-omf-ruleset-for-all-public-repos

Conversation

@lowlydba
Copy link
Copy Markdown
Contributor

@lowlydba John McCall (lowlydba) commented Apr 7, 2026
edited
Loading

Changes

This pull request fixes all outstanding issues that the zizmor 🌈 static analysis analyzer has found. Tackling these helps protect us against supply chain exploits, GitHub exploits, and more.

Going forward, this will be enforced by the new OMF Security Checks workflow that will be enabled in this repo (and many more) via Org ruleset, which runs the GitHub Action version of zizmor (see checks below!)

Validation

{68575AA8-0EDA-481E-B7BC-E8B3453C71E9}

@lowlydba
[SECURITY] Harden workflows pt. 1
f73747e 
Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba
hardening pt 2
d02bb30 
Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba
Add workflow concurrency and staging fixes
62ec49d 
Enable concurrency for CI and staging workflows to group runs by workflow+ref and cancel in-progress jobs. Add explanatory comments for Pages and id-token permissions in publish-stac and note id-token usage for AWS in staging. Fix staging run steps to pass the PR number via an environment variable (GITHUB_EVENT_NUMBER) and use that env var in aws s3 sync and CloudFront invalidation commands to avoid expression interpolation issues in shell run blocks.

Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba John McCall (lowlydba) requested a review from a team as a code owner April 7, 2026 13:49
Copilot AI review requested due to automatic review settings April 7, 2026 13:49
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions configuration to address zizmor security findings by tightening GITHUB_TOKEN permissions, pinning action references to SHAs, and reducing expression-to-shell injection risk in workflow run: steps.

Changes:

  • Lock down workflow-level permissions (permissions: {}) and re-grant minimal job-level permissions where needed.
  • Pin all referenced GitHub Actions to specific commit SHAs and disable persisted checkout credentials.
  • Add concurrency controls to reduce overlapping runs; adjust staging deploy shell interpolation; add Dependabot cooldown.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/staging.yaml Pins actions, adds concurrency, restricts permissions, and hardens shell variable usage for staging deploy.
.github/workflows/publish-stac.yaml Pins actions and scopes Pages deployment permissions to the job level.
.github/workflows/ci.yaml Pins actions, adds concurrency, locks down permissions, and replaces the final “all checks passed” gate with an action.
.github/dependabot.yml Adds a Dependabot update cooldown window.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

John McCall (lowlydba) and others added 5 commits April 7, 2026 09:55
@lowlydba
Merge branch 'main' into 306-devops-create-omf-ruleset-for-all-public…
f3e8ef8 
…-repos

Signed-off-by: John McCall <john@lowlydba.com>
@lowlydba
Update ci.yaml
15a60d0 
Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba
Merge branch '306-devops-create-omf-ruleset-for-all-public-repos' of h…
3c400b4 
…ttps://github.com/OvertureMaps/stac into 306-devops-create-omf-ruleset-for-all-public-repos

Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba
Update ci.yaml
4fd1d8a 
Signed-off-by: John McCall <john@overturemaps.org>
@lowlydba
Update staging.yaml
23cd999 
Signed-off-by: John McCall <john@overturemaps.org>
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Apr 7, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

atiannicelli
Alex Iannicelli (atiannicelli) approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@atiannicelli Alex Iannicelli (atiannicelli) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@lowlydba John McCall (lowlydba) merged commit 52029ec into main Apr 8, 2026
26 of 28 checks passed
@lowlydba John McCall (lowlydba) deleted the 306-devops-create-omf-ruleset-for-all-public-repos branch April 8, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@atiannicelli Alex Iannicelli (atiannicelli) atiannicelli approved these changes

@Rachmanin0xFF Adam Lastowka (Rachmanin0xFF) Awaiting requested review from Rachmanin0xFF

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lowlydba @github-advanced-security @atiannicelli