Harden GitHub Action workflow security#818
Merged
jeffmendoza merged 7 commits intoossf:mainfrom Apr 17, 2026
Merged
Conversation
Signed-off-by: Stephen Augustus <foo@auggie.dev>
Move the example GitHub Action workflow from examples/gha-allstar-run.yml to .github/workflows/allstar.yml so that dependency update tools (Dependabot, Renovate) can automatically manage pinned action SHAs and container image digests. - Comment out push/schedule triggers (active only in deployer's repo) - Add workflow_dispatch for manual testing - Update documentation references in github-action-installation.md - Fix broken link in README.md (github-actions-install.md -> github-action-installation.md) Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
Apply GitHub Actions security best practices based on guidance from
Astral's open-source security post and the uwu-tools/.github reference
deployment.
Workflow hardening (.github/workflows/allstar.yml):
- Rename workflow to "Allstar GitHub Action"
- Remove SARIF upload comment block from header
- Add top-level `permissions: {}` with per-job grants (deny-all default)
- Add `timeout-minutes` to prevent resource exhaustion (60m scan, 10m analyze)
- Quote all shell variable expansions for defense in depth
- Add `if: always()` to both artifact upload steps so results are
preserved even on scan failure
- Bump upload-artifact from v4.6.2 to v7.0.0
- Remove `environment: prod` from analyze job (it uses no secrets)
- Comment out all triggers (push, schedule, workflow_dispatch) so the
workflow is inert in the allstar repo — users uncomment when deploying
- Change default schedule to daily at midnight UTC
- Add TODO comment about investigating non-root container execution
Documentation hardening (github-action-installation.md):
- Add "Security hardening" section documenting the practices to preserve
when customizing the workflow
- Pin actions by SHA in build-from-source example (checkout v6.0.2,
setup-go v6.4.0, upload-artifact v7.0.0) instead of mutable tags
- Add timeout-minutes to build-from-source example
- Update setup instructions to uncomment all three triggers
- Update schedule example to match new daily midnight default
- Update workflow name reference in monitoring section
- Remove disclaimer note that contradicted the now-pinned example
Signed-off-by: Stephen Augustus <foo@auggie.dev>
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Stephen Augustus <foo@auggie.dev>
- Add `if: always()` to the analyze job so it runs even when scan fails, since scan artifacts are uploaded unconditionally - Add concurrency group to prevent overlapping runs from racing on issues or artifacts (cancel-in-progress: false to avoid aborting long-running scans) Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
Extract the inline build-from-source YAML example from the documentation into a real workflow file at .github/workflows/allstar-from-ref.yml. This prevents workflow drift by letting dependency update tools (Dependabot, Renovate) manage pinned action SHAs automatically, matching the approach taken for the main allstar.yml workflow. The new workflow is a complete standalone file (including the analyze job, concurrency group, and all hardening from allstar.yml) rather than a partial scan-job snippet. Users copy it as allstar.yml (same destination name as the container variant) since only one is used at a time. Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
dosubot
Bot
added
the
size:L
Add a CI workflow that runs zizmor on every push to main and on pull requests to catch GitHub Actions security issues (template injection, unpinned actions, missing permissions, etc.) and upload findings as SARIF to the Security > Code Scanning tab. Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
- Uncomment workflow_dispatch in both allstar workflows so they are manually triggerable and pass zizmor validation - Add job names to all jobs to resolve zizmor anonymous-definition findings (now passes `zizmor --pedantic` cleanly) - Update documentation to reflect that only push and schedule triggers need uncommenting Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Stephen Augustus <foo@auggie.dev>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens and formalizes the repository’s GitHub Actions-based Allstar deployment by moving workflows into .github/workflows/, tightening default permissions, pinning dependencies by SHA/digest, and updating documentation to match the new workflow locations.
Changes:
- Add/refresh hardened Allstar workflows (
allstar.yml,allstar-from-ref.yml) with deny-by-default permissions, concurrency controls, timeouts, and SHA/digest pinning. - Introduce a workflow security analysis workflow (
lint-actions.yml) and update docs/README links and wording to reference the new workflow paths. - Add a “Security hardening” section and replace the build-from-source inline snippet with a real workflow to avoid documentation drift.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
github-action-installation.md |
Updates installation docs to point to the new workflow locations and adds a security hardening section. |
README.md |
Fixes the broken GitHub Actions installation link and normalizes “Allstar” naming. |
.github/workflows/lint-actions.yml |
Adds a zizmor-based workflow security analysis job (deny-by-default permissions). |
.github/workflows/allstar.yml |
Updates the primary Allstar workflow with concurrency, timeouts, workflow_dispatch, and hardened artifact handling. |
.github/workflows/allstar-from-ref.yml |
Adds a build-from-source alternative workflow intended to be used instead of the container-based workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jeffmendoza
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
examples/gha-allstar-run.ymlto.github/workflows/allstar.ymlso dependency update tools (Dependabot, Renovate) can manage pinned action SHAs automaticallyallstar-from-ref.yml) to prevent documentation driftSecurity hardening applied
permissions: {}with per-job grants (deny-all default)timeout-minuteson all jobs to prevent resource exhaustionif: always()on artifact uploads and analyze jobupload-artifactfrom v4.6.2 to v7.0.0environment: prodfrom analyze job (uses no secrets)persist-credentials: falseto checkout stepsDocumentation updates
github-action-installation.mdexamples/path to.github/workflows/github-actions-install.md→github-action-installation.md)Test plan
allstar.ymlworkflow can be triggered viaworkflow_dispatch(once triggers are uncommented)allstar-from-ref.ymlbuilds and runs successfully from sourceupload-artifactv7 /download-artifactv4 pairing works for cross-job artifact transfer🤖 Generated with Claude Code