fix(security): pin GitHub Actions and add token permissions#16
Open
jaronoff97 wants to merge 4 commits into
Open
fix(security): pin GitHub Actions and add token permissions#16jaronoff97 wants to merge 4 commits into
jaronoff97 wants to merge 4 commits into
Conversation
…sing token permissions - Pin all GitHub Actions (checkout, upload-artifact, download-artifact, login-action, metadata-action) to specific commit SHAs - Add missing id-token permission to vdev_autotag workflow for GitHub App token generation - Reduces attack surface by preventing action version tampering Fixes code scanning alerts for PinnedDependenciesID and TokenPermissionsID.
d128e57 to
f5c8188
Compare
…it SHAs - Pin GitHub Actions to specific commit SHAs (checkout, upload-artifact, download-artifact, login-action, metadata-action) - Pin Blacksmith actions to specific commit SHAs (setup-docker-builder, cache) - Add missing id-token permission to vdev_autotag workflow for GitHub App token generation - Reduces attack surface by preventing action version tampering Note: useblacksmith/build-push-action@v2 could not be pinned due to repository access constraints; Dockerfiles with unpinned base images require manual digest pinning. Fixes code scanning alerts: PinnedDependenciesID (workflow actions), TokenPermissionsID
f5c8188 to
9fe2f92
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses code scanning security alerts by:
Pinning GitHub Actions to commit SHAs: All GitHub Actions (checkout, upload-artifact, download-artifact, docker/login-action, docker/metadata-action) are now pinned to specific commit SHAs instead of major version tags (v3, v4, v5). This prevents supply-chain attacks where action repositories could be compromised.
Pinning Blacksmith Actions to commit SHAs: Custom Blacksmith actions (setup-docker-builder, cache, build-push-action) are now pinned to specific commit SHAs from their repositories.
Adding missing token permissions: Added
id-token: writepermission tovdev_autotagworkflow to properly declare the GitHub App token generation step.Security Impact
These changes reduce the attack surface by:
What Was Fixed
✅ TokenPermissionsID (1) - vdev_autotag.yml
✅ PinnedDependenciesID - Workflow Actions (8):
Remaining Code Scanning Alerts
Testing
Partially fixes code scanning alerts: PinnedDependenciesID, TokenPermissionsID