Skip to content

Commit 20f38cc

Browse files
agilgur5step-security-bot
agilgur5
and
step-security-bot
committed
ci: pin actions & limit token permissions
- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too - follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md) - specifically "Pinned Dependencies" and "Token Permissions" - In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection - see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/ - based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕 - right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn) Co-authored-by: StepSecurity Bot <[email protected]>
1 parent 3992edb commit 20f38cc

File tree

1 file changed

+7
-3
lines changed

1 file changed

+7
-3
lines changed

.github/workflows/ci.yml

+7-3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: CI
22
on: [push, pull_request]
3+
4+
permissions:
5+
contents: read
6+
37
jobs:
48
ci:
59
name: CI - Node ${{ matrix.node-version }}, ${{ matrix.os }}
@@ -12,9 +16,9 @@ jobs:
1216

1317
steps:
1418
- name: Checkout repo
15-
uses: actions/checkout@v4
19+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1620
- name: Setup Node.js ${{ matrix.node-version }}
17-
uses: actions/setup-node@v4
21+
uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
1822
with:
1923
node-version: ${{ matrix.node-version }}
2024
cache: 'npm'
@@ -31,4 +35,4 @@ jobs:
3135
- name: Test w/ coverage report
3236
run: npm run test:coverage
3337
- name: Upload coverage report to Codecov
34-
uses: codecov/codecov-action@v5
38+
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0

0 commit comments

Comments
 (0)