[codex] Add GitHub Actions hardening audit

.github/workflows/ci.yml

@@ -5,15 +5,18 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 24
           package-manager-cache: false

.github/workflows/contextforge-audit.yml

@@ -16,10 +16,10 @@ jobs:
   contextforge-audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 24
           package-manager-cache: false
@@ -44,6 +44,8 @@ jobs:
         if: always()
       - run: node dist/cli.js workflow-audit --summary contextforge-workflow-audit.md --sarif contextforge-workflow.sarif
         if: always()
+      - run: node dist/cli.js actions-audit --summary contextforge-actions-audit.md --sarif contextforge-actions.sarif
+        if: always()
       - run: node dist/cli.js trace-audit --summary contextforge-trace-audit.md
         if: always()
       - run: node dist/cli.js review-kit --base main --output contextforge-review-kit.md
@@ -53,7 +55,7 @@ jobs:
       - name: Write job summary
         if: always()
         run: cat contextforge-summary.md >> "$GITHUB_STEP_SUMMARY"
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
         if: always()
         with:
           name: contextforge-audit
@@ -77,22 +79,28 @@ jobs:
             contextforge-claude.sarif
             contextforge-workflow-audit.md
             contextforge-workflow.sarif
+            contextforge-actions-audit.md
+            contextforge-actions.sarif
             contextforge-trace-audit.md
             contextforge-review-kit.md
             contextforge-artifact-map.md
-      - uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         with:
           sarif_file: contextforge.sarif
-      - uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         with:
           sarif_file: contextforge-mcp.sarif
-      - uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         with:
           sarif_file: contextforge-claude.sarif
-      - uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
         if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         with:
           sarif_file: contextforge-workflow.sarif
+      - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
+        if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        with:
+          sarif_file: contextforge-actions.sarif

.github/workflows/npm-publish.yml

@@ -24,13 +24,14 @@ permissions:
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  NPM_TAG: ${{ inputs.npm_tag }}
 
 jobs:
   preflight:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 24
           registry-url: https://registry.npmjs.org
@@ -47,10 +48,10 @@ jobs:
       - run: npm pack --dry-run
       - run: npm pack --json > npm-pack.json
       - name: Generate npm tarball attestation
-        uses: actions/attest@v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
         with:
           subject-path: 'contextforge-*.tgz'
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
         if: always()
         with:
           name: contextforge-npm-publish-readiness
@@ -65,8 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     environment: npm-publish
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 24
           registry-url: https://registry.npmjs.org
@@ -83,8 +84,8 @@ jobs:
       - run: npm pack --dry-run
       - run: npm pack --json > npm-pack.json
       - name: Generate npm tarball attestation
-        uses: actions/attest@v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
         with:
           subject-path: 'contextforge-*.tgz'
       - name: Publish to npm
-        run: npm publish contextforge-*.tgz --access public --tag "${{ inputs.npm_tag }}"
+        run: npm publish contextforge-*.tgz --access public --tag "$NPM_TAG"

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.69.0 - 2026-06-01
+
+- Add `contextforge actions-audit --summary contextforge-actions-audit.md --sarif contextforge-actions.sarif` for GitHub Actions hardening proof.
+- Detect mutable action refs, missing workflow permissions, `permissions: write-all`, `pull_request_target` risk, pwn-request checkout, and direct script interpolation of untrusted GitHub contexts.
+- Dogfood the audit by pinning ContextForge workflows to full action SHAs, adding least-privilege CI permissions, routing npm publish tags through an environment variable, and uploading Actions SARIF to Code Scanning.
+
 ## 0.68.0 - 2026-06-01
 
 - Expand `contextforge workflow-audit` to treat issue titles, pull request titles, PR head refs, `github.head_ref`, `github.ref_name`, review-comment bodies, and discussion titles as untrusted agent inputs.

README.md

@@ -94,6 +94,9 @@ For the agentic workflow risk model and command details, see
 [docs/workflow-audit.md](docs/workflow-audit.md).
 For agentic GitHub workflow injection risk, see
 [contextforge-workflow-audit.md](contextforge-workflow-audit.md).
+For GitHub Actions hardening risk, see
+[contextforge-actions-audit.md](contextforge-actions-audit.md) and
+[docs/actions-audit.md](docs/actions-audit.md).
 For session trace efficiency, see
 [contextforge-trace-audit.md](contextforge-trace-audit.md).
 For configurable session cost estimates, see
@@ -118,6 +121,7 @@ contextforge surface-diff --base main --output contextforge-agent-surface-diff.m
 contextforge mcp-audit --summary contextforge-mcp-audit.md --sarif contextforge-mcp.sarif
 contextforge claude-audit --summary contextforge-claude-audit.md --sarif contextforge-claude.sarif
 contextforge workflow-audit --summary contextforge-workflow-audit.md --sarif contextforge-workflow.sarif
+contextforge actions-audit --summary contextforge-actions-audit.md --sarif contextforge-actions.sarif
 contextforge trace-audit --demo --summary contextforge-trace-audit.md
 contextforge cost-estimate --demo --summary contextforge-cost-estimate.md --input-price-per-mtok 2 --cached-input-price-per-mtok 0.2 --output-price-per-mtok 10
 contextforge pack --demo --task "review auth regression" --budget 600 --output contextforge-pack.md
@@ -143,6 +147,7 @@ contextforge audit --demo --comment examples/pr-comment.md --badge contextforge-
 | MCP config risk | `contextforge-mcp-audit.md` |
 | Claude Code project settings risk | `contextforge-claude-audit.md` |
 | Agentic workflow injection risk | `contextforge-workflow-audit.md` |
+| GitHub Actions hardening risk | `contextforge-actions-audit.md` |
 | Agent trace efficiency | `contextforge-trace-audit.md` |
 | Session cost estimate | `contextforge-cost-estimate.md` |
 | Context pack budget proof | `contextforge-pack.md` |
@@ -348,7 +353,7 @@ contextforge pack --task "review auth regression" --budget 20000 --sessions --ou
 Or use the GitHub Action before npm publishing is complete:
 
 ```yaml
-- uses: grnbtqdbyx-create/contextforge@v0.68.0
+- uses: grnbtqdbyx-create/contextforge@v0.69.0
   with:
     min-context-score: 60
     min-cache-score: 60
@@ -372,6 +377,7 @@ Or use the GitHub Action before npm publishing is complete:
 - **Audit MCP exposure:** publish `contextforge-mcp-audit.md` and `contextforge-mcp.sarif` so committed MCP configs cannot quietly ship hardcoded secrets, remote shell installers, unpinned package launches, auto-approval, broad tool permissions, or symlinked config files.
 - **Audit Claude Code settings:** publish `contextforge-claude-audit.md` and `contextforge-claude.sarif` so repo-committed Claude settings cannot quietly ship bypass modes, broad Bash permissions, remote shell hooks, or missing sensitive-file denies.
 - **Audit agentic workflows:** publish `contextforge-workflow-audit.md` and `contextforge-workflow.sarif` so GitHub workflows cannot quietly feed untrusted issue, PR, review, comment, title, input, or branch text into privileged agents.
+- **Audit GitHub Actions hardening:** publish `contextforge-actions-audit.md` and `contextforge-actions.sarif` so agent-authored workflows cannot quietly ship mutable action tags, missing permissions, pwn-request checkout, or shell interpolation of untrusted GitHub context.
 - **Audit trace efficiency:** publish `contextforge-trace-audit.md` so repeated tool calls, huge outputs, tool-output-heavy traces, and low cache reuse are visible before the next long agent session.
 - **Estimate session cost:** publish `contextforge-cost-estimate.md` with runtime price inputs for uncached input, cached input, and output tokens.
 - **Publish the artifact map from CI:** attach `contextforge-artifact-map.md` beside proof-pack and review-kit outputs in reusable and generated GitHub workflows.
@@ -436,6 +442,7 @@ and tuned for Codex/Claude repository work.
 | MCP findings should show up in GitHub Security. | `mcp-audit --sarif` writes `contextforge-mcp.sarif` with `mcp-exposure/*` rule ids for Code Scanning. |
 | Claude Code settings can over-trust a repo. | `claude-audit` checks shared `.claude/settings.json` permissions, hooks, bypass modes, and sensitive-file denies. |
 | Agentic GitHub workflows can ingest attacker-controlled text. | `workflow-audit` checks whether issue, PR, review, comment, title, workflow input, or branch/ref text flows into agentic jobs with write permissions or secrets. |
+| Agent-authored CI can weaken the release path. | `actions-audit` checks workflow SHA pins, token permissions, `pull_request_target`, pwn-request checkout, and direct script interpolation. |
 | Claude Code subagents and custom slash commands can hide powerful project prompts. | `security-audit`, context health, and context packs include `.claude/agents/**/*.md` and `.claude/commands/**/*.md`. |
 | Copilot hooks can run shell commands during agent workflows. | `security-audit` scans `.github/hooks/*.json` and committed `.github/copilot/settings*.json` for unsafe shell, exfiltration, hidden directives, and permission weakening. |
 | VS Code workspace settings can carry Copilot instructions. | `security-audit` scans `.vscode/settings.json` and committed `*.code-workspace` files for risky Copilot review, commit, and PR instruction text. |
@@ -479,12 +486,13 @@ contextforge surface-diff [--base main] [--json] [--output contextforge-agent-su
 contextforge mcp-audit [--demo] [--json] [--summary contextforge-mcp-audit.md] [--sarif contextforge-mcp.sarif]
 contextforge claude-audit [--demo] [--json] [--summary contextforge-claude-audit.md] [--sarif contextforge-claude.sarif]
 contextforge workflow-audit [--demo] [--json] [--summary contextforge-workflow-audit.md] [--sarif contextforge-workflow.sarif]
+contextforge actions-audit [--json] [--summary contextforge-actions-audit.md] [--sarif contextforge-actions.sarif]
 contextforge trace-audit [--demo] [--json] [--summary contextforge-trace-audit.md]
 contextforge cost-estimate [--demo] [--json] [--summary contextforge-cost-estimate.md] [--input-price-per-mtok 0] [--cached-input-price-per-mtok 0] [--output-price-per-mtok 0]
 contextforge review-kit [--demo] [--base main] [--output contextforge-review-kit.md]
 contextforge artifact-map [--output docs/artifacts.md]
 contextforge publish-readiness [--json] [--summary contextforge-publish-readiness.md]
-contextforge init [--all] [--github-action] [--pr-comment-workflow] [--agents-md] [--claude-md] [--copilot-instructions] [--project-name "My App"] [--action-ref grnbtqdbyx-create/contextforge@v0.68.0] [--force]
+contextforge init [--all] [--github-action] [--pr-comment-workflow] [--agents-md] [--claude-md] [--copilot-instructions] [--project-name "My App"] [--action-ref grnbtqdbyx-create/contextforge@v0.69.0] [--force]
 ```
 
 Local session scans are bounded by default. Use `--max-session-files` and
@@ -569,7 +577,7 @@ See [docs/research/adjacent-tools.md](docs/research/adjacent-tools.md).
 
 ## Current Status
 
-ContextForge v0.68.0 is a public MVP CLI with:
+ContextForge v0.69.0 is a public MVP CLI with:
 
 - Claude Code and Codex JSONL fixture scanners
 - bounded local session scanning fallbacks
@@ -599,6 +607,7 @@ ContextForge v0.68.0 is a public MVP CLI with:
 - reusable GitHub Action and dogfood workflow support for `contextforge-mcp-audit.md` and `contextforge-mcp.sarif`
 - reusable GitHub Action and dogfood workflow support for `contextforge-claude-audit.md` and `contextforge-claude.sarif`
 - reusable GitHub Action and dogfood workflow support for `contextforge-workflow-audit.md` and `contextforge-workflow.sarif`
+- reusable GitHub Action and dogfood workflow support for `contextforge-actions-audit.md` and `contextforge-actions.sarif`
 - reusable GitHub Action and dogfood workflow support for `contextforge-review-kit.md`
 - reusable GitHub Action and dogfood workflow support for `contextforge-artifact-map.md`
 - PR-ready comments that summarize changed agent-readable surfaces and point reviewers at `contextforge-proof-pack.md`, `contextforge-review-kit.md`, and `contextforge-agent-surface-diff.md`
@@ -710,6 +719,7 @@ ContextForge v0.68.0 is a public MVP CLI with:
 - **v0.66.0:** launch snapshots explain the why-now, adjacent-category, and proof-first story for README visitors.
 - **v0.67.0:** agentic workflow audits catch untrusted GitHub event text flowing into privileged AI workflows.
 - **v0.68.0:** workflow audits expand attacker-controlled coverage to titles and branch/ref text.
+- **v0.69.0:** GitHub Actions audits catch mutable action refs, pwn-request checkout, missing permissions, and direct script interpolation.
 - **Next:** first approved npm publish and external launch outreach.
 
 Release preparation lives in [docs/release-checklist.md](docs/release-checklist.md).

action.yml

@@ -1,5 +1,5 @@
 name: 'ContextForge Audit'
-description: 'Run ContextForge context health, cache stability, trace efficiency, security, MCP exposure, Claude settings, agentic workflow, HTML, JSON, SARIF, Markdown, PR comment, suggestions, badge, proof pack, scorecard, surface map, surface inventory, surface diff, review kit, artifact map, and agent action plan audits.'
+description: 'Run ContextForge context health, cache stability, trace efficiency, security, MCP exposure, Claude settings, agentic workflow, GitHub Actions hardening, HTML, JSON, SARIF, Markdown, PR comment, suggestions, badge, proof pack, scorecard, surface map, surface inventory, surface diff, review kit, artifact map, and agent action plan audits.'
 author: 'Ogün Keskin'
 
 branding:
@@ -95,6 +95,14 @@ inputs:
     description: 'Agentic GitHub workflow SARIF output path in the caller workspace.'
     required: false
     default: 'contextforge-workflow.sarif'
+  actions-audit:
+    description: 'GitHub Actions hardening audit Markdown output path in the caller workspace.'
+    required: false
+    default: 'contextforge-actions-audit.md'
+  actions-sarif:
+    description: 'GitHub Actions hardening SARIF output path in the caller workspace.'
+    required: false
+    default: 'contextforge-actions.sarif'
   trace-audit:
     description: 'Agent trace efficiency audit Markdown output path in the caller workspace.'
     required: false
@@ -170,6 +178,12 @@ outputs:
   workflow-sarif:
     description: 'Path to the generated agentic GitHub workflow SARIF report.'
     value: ${{ inputs.workflow-sarif }}
+  actions-audit-md:
+    description: 'Path to the generated GitHub Actions hardening audit.'
+    value: ${{ inputs.actions-audit }}
+  actions-sarif:
+    description: 'Path to the generated GitHub Actions hardening SARIF report.'
+    value: ${{ inputs.actions-sarif }}
   trace-audit-md:
     description: 'Path to the generated agent trace efficiency audit.'
     value: ${{ inputs.trace-audit }}
@@ -275,6 +289,14 @@ runs:
         node "$GITHUB_ACTION_PATH/dist/cli.js" workflow-audit \
           --summary "${{ inputs.workflow-audit }}" \
           --sarif "${{ inputs.workflow-sarif }}"
+    - name: Run ContextForge GitHub Actions audit
+      if: always()
+      shell: bash
+      run: |
+        cd "$GITHUB_WORKSPACE"
+        node "$GITHUB_ACTION_PATH/dist/cli.js" actions-audit \
+          --summary "${{ inputs.actions-audit }}" \
+          --sarif "${{ inputs.actions-sarif }}"
     - name: Run ContextForge trace efficiency audit
       if: always()
       shell: bash

contextforge-actions-audit.md

@@ -0,0 +1,15 @@
+# ContextForge GitHub Actions Audit
+
+Status: **pass**
+
+Score: **100/100**
+
+Workflow files: `.github/workflows/ci.yml`, `.github/workflows/contextforge-audit.yml`, `.github/workflows/npm-publish.yml`
+
+| Type | Severity | File | Message | Suggestion |
+| --- | --- | --- | --- | --- |
+| none | low |  | No GitHub Actions hardening findings. | Keep workflows pinned, least-privilege, and isolated from untrusted PR code. |
+
+## Next Actions
+
+- Keep GitHub Actions workflows pinned to full SHAs and least-privilege by default.

contextforge-publish-readiness.md

@@ -2,11 +2,11 @@
 
 Status: **warn**
 
-Package: `contextforge@0.68.0`
+Package: `contextforge@0.69.0`
 
 | Check | Status | Detail |
 | --- | --- | --- |
-| Package metadata | pass | contextforge@0.68.0 is public-package ready with bin dist/cli.js |
+| Package metadata | pass | contextforge@0.69.0 is public-package ready with bin dist/cli.js |
 | Package provenance metadata | pass | repository, homepage, and issue tracker point at grnbtqdbyx-create/contextforge for npm provenance readers |
 | Trusted publishing workflow | pass | npm Trusted Publishing uses GitHub OIDC, manual dispatch, dry-run default, and environment approval |
 | Release artifact attestation | pass | GitHub artifact attestation covers the packed npm tarball before the same tarball is published |