Skip to content

ci: GHA workflow security cleanup#3383

Merged
emptyhammond merged 3 commits into
mainfrom
worktree-fixup-workflows
Jun 4, 2026
Merged

ci: GHA workflow security cleanup#3383
emptyhammond merged 3 commits into
mainfrom
worktree-fixup-workflows

Conversation

@emptyhammond
Copy link
Copy Markdown
Contributor

@emptyhammond emptyhammond commented May 26, 2026

Routine hygiene pass over the GitHub Actions workflow in this repo, addressing findings from a workflow security audit. Changes are split into three commits, one per finding type:

  • Disable credential persistence on actions/checkout so the default GITHUB_TOKEN is not left in the local git config after checkout.
  • Add a top-level permissions: {} so the GITHUB_TOKEN is granted no scopes by default; the job continues to declare only the contents/deployments/pull-requests scopes it actually
    needs.
  • Pin all third-party actions to commit SHAs (with the tag preserved as a comment) so an upstream tag move can't silently change what runs in CI.

No behavioural changes intended - the workflow runs the same checks against the same inputs.

@emptyhammond emptyhammond requested a review from m-hulbert May 26, 2026 13:44
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 26, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1717ae46-e370-437c-abc8-a90a575d8942

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-fixup-workflows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@emptyhammond emptyhammond enabled auto-merge May 28, 2026 10:16
@emptyhammond @m-hulbert
ci: disable credential persistence on checkout
7e23e7b 
Set persist-credentials: false on actions/checkout so the default
GITHUB_TOKEN is not left in the local git config after checkout.
Identified by a routine workflow security audit.
@emptyhammond @m-hulbert
ci: drop default workflow-level permissions
e7c193c 
Add a top-level permissions: {} so the GITHUB_TOKEN is granted no scopes
by default; the job continues to declare only the contents/deployments/
pull-requests scopes it actually needs. Identified by a routine workflow
security audit.
@emptyhammond @m-hulbert
ci: pin third-party actions to commit SHAs
ca300de 
Pin actions/checkout, actions/github-script, and
fastruby/manage-heroku-review-app to commit SHAs with the tag preserved
as a trailing comment, so an upstream tag move cannot silently change
what runs in CI. Identified by a routine workflow security audit.
@m-hulbert m-hulbert force-pushed the worktree-fixup-workflows branch from 5fd46d5 to ca300de Compare June 4, 2026 17:42
@emptyhammond emptyhammond merged commit 4ca19a3 into main Jun 4, 2026
7 checks passed
@emptyhammond emptyhammond deleted the worktree-fixup-workflows branch June 4, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m-hulbert m-hulbert m-hulbert approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emptyhammond @m-hulbert