From 826955218f3b80b2cda27cf5805ce1d20df01446 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 19:08:20 -0400 Subject: [PATCH 1/3] CI: harden GHA configuration This adjusts the defaults per suggestions of zizmor to reduce possible risks from giving GHA tasks more permissions that required. --- .github/workflows/ros.yaml | 4 ++++ .github/workflows/ruff.yml | 2 ++ .github/workflows/super-linter.yml | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ros.yaml b/.github/workflows/ros.yaml index 026a447d7..2344da46f 100644 --- a/.github/workflows/ros.yaml +++ b/.github/workflows/ros.yaml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./.github/actions/test/ @@ -27,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Run linter uses: ./.github/actions/lint/ env: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index f483d412c..fd4280440 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 - uses: astral-sh/ruff-action@v3 - name: Ruff Check diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 4db07240e..82e20361f 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -18,8 +18,8 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 + persist-credentials: false - name: Lint Code Base uses: github/super-linter@v7 From 0e1f13c72ce4a92b519f260a19973e614e6774e1 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 19:32:21 -0400 Subject: [PATCH 2/3] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/ruff.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index fd4280440..3c05e5743 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -15,7 +15,7 @@ jobs: with: persist-credentials: false - uses: actions/setup-python@v5 - - uses: astral-sh/ruff-action@v3 + - uses: astral-sh/ruff-action@eaf0ecdd668ceea36159ff9d91882c9795d89b49 # v3 - name: Ruff Check run: ruff check --fix - name: Ruff Format From 19f8c18a9aa823df9d59b00b813aa3821306e603 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 20:27:00 -0400 Subject: [PATCH 3/3] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/ros.yaml | 2 ++ .github/workflows/ruff.yml | 2 ++ .github/workflows/super-linter.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/ros.yaml b/.github/workflows/ros.yaml index 2344da46f..4f1f3302c 100644 --- a/.github/workflows/ros.yaml +++ b/.github/workflows/ros.yaml @@ -1,4 +1,6 @@ name: ROS C++ Testing and Linting +permissions: + contents: read on: push: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 3c05e5743..719cd6829 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -1,4 +1,6 @@ name: Check Code Style - Ruff +permissions: + contents: read on: push: diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 82e20361f..8b78bc882 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -5,6 +5,8 @@ # For more information, see: # https://github.com/github/super-linter name: Lint Code Base (Super-Linter) +permissions: + contents: read on: push: