What would you like to be added:
To improve the security, stability, and maintainability of our CI/CD infrastructure, I propose the following enhancements to our GitHub Workflows:
- Pin Actions to Full-Length Commit SHAs: Replace mutable tags (e.g.,
actions/checkout@v4) with immutable commit SHAs (e.g., actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1). This follows GitHub Security Best Practices to ensure that the code being executed is exactly what we verified and protects against tag-moving or hijacking.
- Define Top-Level Permissions: Explicitly set top-level
permissions for every workflow (e.g., permissions: { contents: read }). Currently, many workflows rely on default permissions or have inconsistent definitions. Standardizing this follows the Principle of Least Privilege.
- Standardize Action Versions: Consolidate the versions of common actions used across the repository. For example:
actions/setup-go is used as v4 in build-push-release.yml but v5 in others.
actions/setup-python varies between v4 and v5.
- Configure Dependabot: Add a
.github/dependabot.yml configuration to automatically track and update these pinned SHAs, ensuring our workflows stay up-to-date without manual overhead.
For Pin Actions to Full-Length Commit SHAs and Define Top-Level Permissions, we can utilize StepSecurity. By pasting the workflow content into the tool and clicking Secure Workflow, it automatically generates a hardened version of the file including the two improvements mentioned above.
Tasks:
What would you like to be added:
To improve the security, stability, and maintainability of our CI/CD infrastructure, I propose the following enhancements to our GitHub Workflows:
actions/checkout@v4) with immutable commit SHAs (e.g.,actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1). This follows GitHub Security Best Practices to ensure that the code being executed is exactly what we verified and protects against tag-moving or hijacking.permissionsfor every workflow (e.g.,permissions: { contents: read }). Currently, many workflows rely on default permissions or have inconsistent definitions. Standardizing this follows the Principle of Least Privilege.actions/setup-gois used as v4 inbuild-push-release.ymlbut v5 in others.actions/setup-pythonvaries between v4 and v5..github/dependabot.ymlconfiguration to automatically track and update these pinned SHAs, ensuring our workflows stay up-to-date without manual overhead.For Pin Actions to Full-Length Commit SHAs and Define Top-Level Permissions, we can utilize StepSecurity. By pasting the workflow content into the tool and clicking
Secure Workflow, it automatically generates a hardened version of the file including the two improvements mentioned above.Tasks:
build-push-release.yml(@safiya2610 chore: secure github workflows #393)codegen-check.yml(@safiya2610 chore: secure github workflows #393)codespell.yml(@safiya2610 chore: secure github workflows #393)copyright-check.yml(@safiya2610 chore: secure github workflows #393)dify-plugin-publish.yml(@safiya2610 chore: secure github workflows #393)e2e.yml(@safiya2610 chore: secure github workflows #393)lint.yml(@safiya2610 chore: secure github workflows #393)main.yml(@safiya2610 chore: secure github workflows #393)python-cli-publish.yml(@safiya2610 chore: secure github workflows #393)python-lint.yml(@safiya2610 chore: secure github workflows #393)python-sdk-publish.yml(@safiya2610 chore: secure github workflows #393)python-sdk-tests.yml(@safiya2610 chore: secure github workflows #393)test-coverage.yml(@safiya2610 chore: secure github workflows #393)workflows-approve.yml(@safiya2610 chore: secure github workflows #393).github/dependabot.ymlfor GitHub Actions (@safiya2610)