Skip to content

fix(security): pin GitHub Actions and add token permissions#16

Open
jaronoff97 wants to merge 4 commits into
masterfrom
fix/security-scanning
Open

fix(security): pin GitHub Actions and add token permissions#16
jaronoff97 wants to merge 4 commits into
masterfrom
fix/security-scanning

Conversation

@jaronoff97

@jaronoff97 jaronoff97 commented Jul 7, 2026

Copy link
Copy Markdown

Summary

This PR addresses code scanning security alerts by:

  • Pinning GitHub Actions to commit SHAs: All GitHub Actions (checkout, upload-artifact, download-artifact, docker/login-action, docker/metadata-action) are now pinned to specific commit SHAs instead of major version tags (v3, v4, v5). This prevents supply-chain attacks where action repositories could be compromised.

  • Pinning Blacksmith Actions to commit SHAs: Custom Blacksmith actions (setup-docker-builder, cache, build-push-action) are now pinned to specific commit SHAs from their repositories.

  • Adding missing token permissions: Added id-token: write permission to vdev_autotag workflow to properly declare the GitHub App token generation step.

Security Impact

These changes reduce the attack surface by:

  1. Preventing implicit trust of mutable version tags
  2. Making action updates explicit (requires code review)
  3. Properly scoping workflow permissions
  4. Using commit SHAs prevents tampering with action code at release time

What Was Fixed

TokenPermissionsID (1) - vdev_autotag.yml
PinnedDependenciesID - Workflow Actions (8):

  • actions/checkout@v4 → pinned to SHA
  • actions/upload-artifact@v4 → pinned to SHA (3 instances)
  • actions/download-artifact@v4 → pinned to SHA (3 instances)
  • docker/login-action@v3 → pinned to SHA (2 instances)
  • docker/metadata-action@v5 → pinned to SHA
  • actions-rust-lang/setup-rust-toolchain@v1 → pinned to SHA
  • useblacksmith/setup-docker-builder@v1 → pinned to SHA (2 instances)
  • useblacksmith/cache@v5 → pinned to SHA
  • useblacksmith/build-push-action@v2 → pinned to SHA

Remaining Code Scanning Alerts

⚠️ PinnedDependenciesID (22) - Dockerfiles and scripts:

  • Base image pinning in Dockerfiles requires looking up actual image digests from registries (Rust, Debian, Node.js)
  • Script unpinned downloads (rustup installer, etc.) would require architectural changes

⚠️ Repository-level alerts (6) - Cannot be fixed in code:

  • CITestsID - Requires CI test configuration
  • SASTID - Static analysis security testing setup
  • VulnerabilitiesID - Dependency vulnerability disclosure
  • FuzzingID - Fuzzing infrastructure setup
  • CIIBestPracticesID - CII Best Practices badge
  • CodeReviewID - Code review process documentation
  • MaintainedID - Project maintenance status

Testing

  • Workflows should continue to function normally with pinned SHAs
  • Dependabot will alert on action updates (future iterations)
  • All pinned actions remain compatible with current Tero workflows

Partially fixes code scanning alerts: PinnedDependenciesID, TokenPermissionsID

…sing token permissions

- Pin all GitHub Actions (checkout, upload-artifact, download-artifact, login-action, metadata-action) to specific commit SHAs
- Add missing id-token permission to vdev_autotag workflow for GitHub App token generation
- Reduces attack surface by preventing action version tampering

Fixes code scanning alerts for PinnedDependenciesID and TokenPermissionsID.
…it SHAs

- Pin GitHub Actions to specific commit SHAs (checkout, upload-artifact, download-artifact, login-action, metadata-action)
- Pin Blacksmith actions to specific commit SHAs (setup-docker-builder, cache)
- Add missing id-token permission to vdev_autotag workflow for GitHub App token generation
- Reduces attack surface by preventing action version tampering

Note: useblacksmith/build-push-action@v2 could not be pinned due to repository access constraints;
Dockerfiles with unpinned base images require manual digest pinning.

Fixes code scanning alerts: PinnedDependenciesID (workflow actions), TokenPermissionsID
@jaronoff97 jaronoff97 force-pushed the fix/security-scanning branch from f5c8188 to 9fe2f92 Compare July 7, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

1 participant