Harden reusable workflow security#24
Open
darwinboersma wants to merge 3 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the security posture of the repo’s reusable GitHub Actions workflows by pinning third-party Action references, removing unsafe patterns (e.g., eval), tightening permissions, and inlining coverage enforcement logic to avoid mutable workflow/action refs.
Changes:
- Pin third-party Actions to immutable commit SHAs and set explicit workflow/job permissions.
- Inline PR coverage reporting + enforcement logic into
coverage-report.yml(instead of callingcoverage-check@main) and adjust related coverage artifact handling. - Improve workflow safety/operability: validate E2E environment names before deploy-branch pushes, make raw CodeBuild log streaming opt-in, and update docs/examples (trusted publishing + pinned Knip usage + pinning guidance).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
coverage-check/action.yml |
Pins actions/upload-artifact to an immutable SHA for the composite action. |
README.md |
Updates usage guidance (pinning), renames/updates workflow examples, documents pinned tool versions and trusted publishing. |
.github/workflows/publish-npm-package.yml |
Pins Actions, adds minimal permissions, removes eval, and reorders pre-install setup ahead of registry auth. |
.github/workflows/pr-title-checker.yml |
Adds explicit permissions and minor workflow metadata cleanup. |
.github/workflows/knip.yml |
Pins Actions and pins Knip execution via npx knip@<version>. |
.github/workflows/ghactionlint.yml |
Updates zizmor default version and pins checkout action; adds job name. |
.github/workflows/e2e-codebuild.yml |
Adds environment validation before deploy pushes and makes CodeBuild log streaming opt-in. |
.github/workflows/coverage-report.yml |
Pins Actions, adds scoped permissions, and inlines baseline download + PR comment + enforcement logic. |
.github/workflows/ci.yml |
Adds a clearer job name for the ghactionlint reusable workflow job. |
.github/workflows/check-links.yml |
Adds explicit permissions and a job name for consistency/minimal privilege. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+96
to
+102
| if command -v jq &> /dev/null; then | ||
| echo "jq already installed: $(jq --version)" | ||
| else | ||
| echo "Installing jq..." | ||
| ARCH=$(dpkg --print-architecture 2>/dev/null || echo amd64) | ||
| curl -sL -o /usr/local/bin/jq "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${ARCH}" | ||
| chmod +x /usr/local/bin/jq |
Comment on lines
+204
to
+207
| echo "$CHANGED_FILES" \ | ||
| | grep -E "$SOURCE_FILE_PATTERN" \ | ||
| | grep -vE "$SOURCE_FILE_EXCLUDE" \ | ||
| | grep -vE '/index\.(ts|tsx)$' \ |
Comment on lines
+126
to
+139
| - name: Validate environment | ||
| env: | ||
| TARGET_ENV: ${{ inputs.environment }} | ||
| run: | | ||
| set -euo pipefail | ||
| case "$TARGET_ENV" in | ||
| predev|predev2|predev3|predev4|predev5|predev6|predev7|predev8|dev|preuat) | ||
| ;; | ||
| *) | ||
| echo "::error::Unknown environment: $TARGET_ENV" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
|
|
zizmor's ref-version-mismatch check was failing because the # v2 comments next to pinned SHAs resolve to v2.7.0 (lychee-action) and v2.9.3 (vitest-coverage-report-action) respectively. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace the `bash <(curl ...)` actionlint installer and the pipx/PyPI zizmor installer with direct GitHub release downloads, each verified against a pinned SHA-256. Both tools now run from local binaries with no remote-script execution and no Python toolchain in the trust path. New `actionlint_sha256` and `zizmor_sha256` workflow inputs default to the hashes for the default versions; bumping a version requires supplying the matching hash. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
coverage-check@main, and pin remaining third-party Actions to immutable SHAsevalValidation
./actionlint -color=falseuvx zizmor --format plain .uvx --from detect-secrets detect-secrets scan --all-files --force-use-all-pluginsgit diff --checkFollow-up