ci: harden workflow token permissions and pin actions by SHA · cozystack/cozystack@4feac5b · GitHub
Skip to content

Commit 4feac5b

Browse files
myasnikovdaniillexfrei
authored andcommitted
ci: harden workflow token permissions and pin actions by SHA
Raise the OpenSSF Scorecard Token-Permissions and Pinned-Dependencies checks (both currently 0/10) ahead of CNCF Incubation due diligence: - Declare a top-level read-only default (permissions: contents: read) in every workflow, plus an explicit per-job permissions: block that grants only the writes that job actually needs. Workflows that previously held write scopes at the workflow level (backport, pr-labeler, pr-size, stale) now hold them at job level instead. - Pin every GitHub-owned and third-party action to a full commit SHA with a version comment. scorecard.yml was already pinned in #2721. No triggers, job graph, or step logic change; only token scopes and action refs. Self-hosted release jobs keep the exact write scopes they already declared. Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com> Assisted-By: Claude <noreply@anthropic.com>
1 parent fb070ff commit 4feac5b

13 files changed

Lines changed: 119 additions & 64 deletions

.github/workflows/auto-release.yaml

Lines changed: 7 additions & 3 deletions

.github/workflows/backport.yaml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,9 @@ concurrency:
88
group: backport-${{ github.workflow }}-${{ github.event.pull_request.number }}
99
cancel-in-progress: true
1010

11+
# Top-level token defaults to read-only; jobs request the minimum extra scopes.
1112
permissions:
12-
contents: write
13-
pull-requests: write
13+
contents: read
1414

1515
jobs:
1616
# Determine which backports are needed
@@ -24,6 +24,8 @@ jobs:
2424
(github.event.action == 'labeled' && (github.event.label.name == 'backport' || github.event.label.name == 'backport-previous'))
2525
)
2626
runs-on: [self-hosted]
27+
permissions:
28+
contents: read
2729
outputs:
2830
backport_current: ${{ steps.labels.outputs.backport }}
2931
backport_previous: ${{ steps.labels.outputs.backport_previous }}
@@ -32,7 +34,7 @@ jobs:
3234
steps:
3335
- name: Check which labels are present
3436
id: labels
35-
uses: actions/github-script@v7
37+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
3638
with:
3739
script: |
3840
const pr = context.payload.pull_request;
@@ -47,7 +49,7 @@ jobs:
4749
4850
- name: Determine target branches
4951
id: branches
50-
uses: actions/github-script@v7
52+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
5153
with:
5254
script: |
5355
// Get latest release
@@ -94,6 +96,9 @@ jobs:
9496
github.event.pull_request.base.ref == 'main' &&
9597
(needs.prepare.outputs.backport_current == 'true' || needs.prepare.outputs.backport_previous == 'true')
9698
runs-on: [self-hosted]
99+
permissions:
100+
contents: write
101+
pull-requests: write
97102
strategy:
98103
matrix:
99104
backport_type: [current, previous]
@@ -116,13 +121,13 @@ jobs:
116121
# 2. Checkout (required by backport‑action)
117122
- name: Checkout repository
118123
if: steps.target.outcome == 'success'
119-
uses: actions/checkout@v4
124+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
120125

121126
# 3. Create the back‑port pull request
122127
- name: Create back‑port PR
123128
id: backport
124129
if: steps.target.outcome == 'success'
125-
uses: korthout/backport-action@v3.2.1
130+
uses: korthout/backport-action@0193454f0c5947491d348f33a275c119f30eb736 # v3.2.1
126131
with:
127132
github_token: ${{ secrets.GITHUB_TOKEN }}
128133
label_pattern: '' # don't read labels for targets

.github/workflows/codegen-drift.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,16 +23,22 @@ concurrency:
2323
group: codegen-drift-${{ github.workflow }}-${{ github.event.pull_request.number }}
2424
cancel-in-progress: true
2525

26+
# Top-level token defaults to read-only; jobs request the minimum extra scopes.
27+
permissions:
28+
contents: read
29+
2630
jobs:
2731
codegen-drift:
2832
name: Verify generated code is up to date
2933
runs-on: ubuntu-22.04
34+
permissions:
35+
contents: read
3036
steps:
3137
- name: Checkout code
32-
uses: actions/checkout@v4
38+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3339

3440
- name: Set up Go
35-
uses: actions/setup-go@v5
41+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
3642
with:
3743
go-version-file: go.mod
3844
cache: true

.github/workflows/labels.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,10 @@ concurrency:
2424
jobs:
2525
validate:
2626
runs-on: ubuntu-latest
27+
permissions:
28+
contents: read
2729
steps:
28-
- uses: actions/checkout@v4
30+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2931

3032
- name: Validate labels.yml schema
3133
run: |
@@ -74,11 +76,12 @@ jobs:
7476
if: github.event_name != 'pull_request'
7577
runs-on: ubuntu-latest
7678
permissions:
79+
contents: read
7780
issues: write
7881
pull-requests: write
7982
steps:
80-
- uses: actions/checkout@v4
81-
- uses: EndBug/label-sync@v2
83+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
84+
- uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2
8285
with:
8386
config-file: .github/labels.yml
8487
delete-other-labels: false

.github/workflows/pr-labeler.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,16 +4,18 @@ on:
44
pull_request_target:
55
types: [opened, edited, reopened, synchronize]
66

7+
# Top-level token defaults to read-only; jobs request the minimum extra scopes.
78
permissions:
89
contents: read
9-
pull-requests: write
1010

1111
jobs:
1212
label:
1313
runs-on: ubuntu-latest
14+
permissions:
15+
pull-requests: write
1416
steps:
1517
- name: Apply labels from PR title
16-
uses: actions/github-script@v7
18+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
1719
with:
1820
script: |
1921
// Conventional Commits types accepted by Cozystack (per docs/agents/contributing.md):

.github/workflows/pr-size.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@ on:
44
pull_request_target:
55
types: [opened, synchronize, reopened]
66

7+
# Top-level token defaults to read-only; jobs request the minimum extra scopes.
78
permissions:
89
contents: read
9-
pull-requests: write
1010

1111
concurrency:
1212
group: pr-size-${{ github.event.pull_request.number }}
@@ -15,8 +15,10 @@ concurrency:
1515
jobs:
1616
size:
1717
runs-on: ubuntu-latest
18+
permissions:
19+
pull-requests: write
1820
steps:
19-
- uses: actions/github-script@v7
21+
- uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
2022
with:
2123
script: |
2224
const pr = context.payload.pull_request;

.github/workflows/pre-commit.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,26 +8,32 @@ concurrency:
88
group: pre-commit-${{ github.workflow }}-${{ github.event.pull_request.number }}
99
cancel-in-progress: true
1010

11+
# Top-level token defaults to read-only; jobs request the minimum extra scopes.
12+
permissions:
13+
contents: read
14+
1115
jobs:
1216
pre-commit:
1317
runs-on: ubuntu-22.04
18+
permissions:
19+
contents: read
1420
steps:
1521
- name: Checkout code
16-
uses: actions/checkout@v3
22+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
1723
with:
1824
fetch-depth: 0
1925
fetch-tags: true
2026

2127
- name: Set up Python
22-
uses: actions/setup-python@v4
28+
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
2329
with:
2430
python-version: '3.11'
2531

2632
- name: Install pre-commit
2733
run: pip install pre-commit
2834

2935
- name: Set up Go
30-
uses: actions/setup-go@v5
36+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
3137
with:
3238
go-version-file: go.mod
3339
cache: true

.github/workflows/pull-requests-release.yaml

Lines changed: 9 additions & 5 deletions

0 commit comments

Comments
 (0)