Skip to content

[Umbrella][Infrastructure] Hardening GitHub Workflows #392

Description

@zhzhuang-zju

What would you like to be added:
To improve the security, stability, and maintainability of our CI/CD infrastructure, I propose the following enhancements to our GitHub Workflows:

  1. Pin Actions to Full-Length Commit SHAs: Replace mutable tags (e.g., actions/checkout@v4) with immutable commit SHAs (e.g., actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1). This follows GitHub Security Best Practices to ensure that the code being executed is exactly what we verified and protects against tag-moving or hijacking.
  2. Define Top-Level Permissions: Explicitly set top-level permissions for every workflow (e.g., permissions: { contents: read }). Currently, many workflows rely on default permissions or have inconsistent definitions. Standardizing this follows the Principle of Least Privilege.
  3. Standardize Action Versions: Consolidate the versions of common actions used across the repository. For example:
    • actions/setup-go is used as v4 in build-push-release.yml but v5 in others.
    • actions/setup-python varies between v4 and v5.
  4. Configure Dependabot: Add a .github/dependabot.yml configuration to automatically track and update these pinned SHAs, ensuring our workflows stay up-to-date without manual overhead.

For Pin Actions to Full-Length Commit SHAs and Define Top-Level Permissions, we can utilize StepSecurity. By pasting the workflow content into the tool and clicking Secure Workflow, it automatically generates a hardened version of the file including the two improvements mentioned above.

Image

Tasks:

Metadata

Metadata

Assignees

Labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions