Skip to content

CI: Harden GHA configuration #338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dmgav merged 4 commits into from
Jul 9, 2025
Merged

CI: Harden GHA configuration #338

dmgav merged 4 commits into from
Jul 9, 2025

Conversation

@tacaswell
Copy link
Contributor

@tacaswell tacaswell commented Jul 9, 2025
edited
Loading

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions to read-only

tacaswell added 3 commits July 8, 2025 19:09
@tacaswell
CI: harden GHA configuration
3da91fa 
This adjusts the defaults per suggestions of zizmor to
reduce possible risks from giving GHA tasks more permissions
that required.
@tacaswell
CI: pin actions by SHA
34d3413 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: Restrict default permissions
11fd18e 
Reduces risk of arbitrary code is run by attacker.
@tacaswell tacaswell changed the title "CI: Harden GHA configuration" CI: Harden GHA configuration Jul 9, 2025
@dmgav dmgav merged commit c49d435 into NSLS2:master Jul 9, 2025
3 of 10 checks passed
@tacaswell tacaswell deleted the harden_gha branch July 9, 2025 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tacaswell @dmgav