From 3792f1cba5254804d2762d88c13e8abc9d13ede3 Mon Sep 17 00:00:00 2001 From: jim Date: Tue, 26 May 2026 07:30:00 +0100 Subject: [PATCH] Harden GitHub Actions workflows Pin every third-party action `uses:` ref to a full-length commit SHA (tag retained as trailing comment) so a re-pointed tag cannot inject malicious code, per the 2025 tj-actions/changed-files incident. Add a default top-level `permissions: contents: read` block to every workflow that lacked one, and grant `contents: write` only on the specific jobs that need it (php-cs-fixer auto-commit, changelog auto-commit). The dependabot-auto-merge workflow keeps its existing explicit permissions. Group github-actions dependabot updates so weekly SHA bumps land as a single PR instead of one per action. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 6 +++++- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/php-cs-fixer.yml | 10 ++++++++-- .github/workflows/phpstan.yml | 9 ++++++--- .github/workflows/run-tests.yml | 9 ++++++--- .github/workflows/update-changelog.yml | 12 +++++++++--- 6 files changed, 35 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 30c8a49..9b6c374 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,4 +9,8 @@ updates: schedule: interval: "weekly" labels: - - "dependencies" \ No newline at end of file + - "dependencies" + groups: + actions: + patterns: + - "*" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index b2fecc8..8f07689 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -13,7 +13,7 @@ jobs: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v3.1.0 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/php-cs-fixer.yml b/.github/workflows/php-cs-fixer.yml index 2d7544e..2ab165c 100644 --- a/.github/workflows/php-cs-fixer.yml +++ b/.github/workflows/php-cs-fixer.yml @@ -2,13 +2,19 @@ name: Check & fix styling on: [push] +permissions: + contents: read + jobs: php-cs-fixer: runs-on: ubuntu-latest + permissions: + contents: write + steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.head_ref }} @@ -18,6 +24,6 @@ jobs: args: --config=.php-cs-fixer.dist.php --allow-risky=yes - name: Commit changes - uses: stefanzweifel/git-auto-commit-action@v7 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7 with: commit_message: Fix styling diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml index 2c6185e..3a9a109 100644 --- a/.github/workflows/phpstan.yml +++ b/.github/workflows/phpstan.yml @@ -6,21 +6,24 @@ on: - '**.php' - 'phpstan.neon.dist' +permissions: + contents: read + jobs: phpstan: name: phpstan runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: '8.3' coverage: none - name: Install composer dependencies - uses: ramsey/composer-install@v4 + uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # v4 - name: Run PHPStan run: ./vendor/bin/phpstan --error-format=github diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 366fcae..6cd10aa 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: test: runs-on: ${{ matrix.os }} @@ -34,10 +37,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # v2 with: php-version: ${{ matrix.php }} extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, imagick, fileinfo @@ -57,7 +60,7 @@ jobs: run: vendor/bin/pest --coverage-cobertura coverage.xml - name: Upload coverage - uses: gaelgirodon/ci-badges-action@v1 + uses: gaelgirodon/ci-badges-action@07a65145ff9feb271f426865f940977a94578ad4 # v1 if: github.ref == 'refs/heads/main' with: gist-id: 9dd8e508cb2433728d42a258193770eb diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml index 9445f8b..7b287cb 100644 --- a/.github/workflows/update-changelog.yml +++ b/.github/workflows/update-changelog.yml @@ -4,24 +4,30 @@ on: release: types: [released,prereleased] +permissions: + contents: read + jobs: update: runs-on: ubuntu-latest + permissions: + contents: write + steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: main - name: Update Changelog - uses: stefanzweifel/changelog-updater-action@v1 + uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1 with: latest-version: ${{ github.event.release.name }} release-notes: ${{ github.event.release.body }} - name: Commit updated CHANGELOG - uses: stefanzweifel/git-auto-commit-action@v7 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7 with: branch: main commit_message: Update CHANGELOG