Skip to content

ci: GHA workflow security cleanup#451

Open
emptyhammond wants to merge 5 commits into
mainfrom
worktree-fixup-workflows
Open

ci: GHA workflow security cleanup#451
emptyhammond wants to merge 5 commits into
mainfrom
worktree-fixup-workflows

Conversation

@emptyhammond
Copy link
Copy Markdown

@emptyhammond emptyhammond commented May 26, 2026

Routine hygiene pass over the GitHub Actions workflows in this repo, addressing findings from a workflow security audit. Changes are split into five commits, one per finding type:

  • Disable credential persistence on actions/checkout steps so the workflow's GITHUB_TOKEN is not left in the local git config after checkout.
  • Scope each job's permissions explicitly: top-level permissions: {}, with each job granted only the GITHUB_TOKEN scopes it actually needs.
  • Move the workflow-context expansion (${{ matrix.type }}) out of run: shell source and read it from the already-defined TEST_TYPE env binding instead.
  • Pin all third-party actions to commit SHAs (with the tag preserved as a comment) so an upstream tag move can't silently change what runs in CI.
  • Replace secrets: inherit on the reusable ably/features workflow call with an explicit passthrough of the single secret it declares (ABLY_AWS_ACCOUNT_ID_SDK), so unrelated repo secrets aren't forwarded into it.

No behavioural changes intended — the workflows run the same checks against the same inputs.

@emptyhammond
ci: disable credential persistence on checkout
ce135e1 
actions/checkout leaves the workflow's GITHUB_TOKEN in the local git
config after fetching by default. Set persist-credentials: false so
later steps don't inherit token access they don't need.
@emptyhammond
ci: scope job permissions explicitly
7306b92 
Set a top-level permissions: {} default and grant each job only the
GITHUB_TOKEN scopes it needs:

- check.yml/check and check.yml/finish: contents: read for checkout
  and coverallsapp PR identification.
- features.yml/build: contents, deployments, id-token to match the
  permissions the called reusable workflow requires.
@emptyhammond
ci: read matrix value from env in test run step
bf33770 
The run: block expanded ${{ matrix.type }} into the shell directly.
Reference TEST_TYPE (already bound in the step's env:) instead so
workflow-context values stay out of the shell source.
@emptyhammond
ci: pin third-party actions to commit SHAs
ee124ac 
Tags can be moved to point at different commits after publication.
Pinning the SHA (with the previous tag retained as a comment for
readability) ensures CI runs the exact code we audited.
@emptyhammond
ci: pass only required secret to reusable workflow
4673b91 
The called workflow only declares ABLY_AWS_ACCOUNT_ID_SDK in its
workflow_call.secrets contract. Replace secrets: inherit with an
explicit passthrough so other repo secrets aren't forwarded into a
workflow that has no need for them.
@lawrence-forooghian
Copy link
Copy Markdown
Collaborator

lawrence-forooghian commented May 26, 2026

@emptyhammond looks like this has broken something in CI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lawrence-forooghian lawrence-forooghian Awaiting requested review from lawrence-forooghian

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emptyhammond @lawrence-forooghian