Skip to content

Harden CI: SHA-pin all actions, add persist-credentials: false#83

Merged
jpr5 merged 1 commit into
mainfrom
fix/ci-hardening
May 15, 2026
Merged

Harden CI: SHA-pin all actions, add persist-credentials: false#83
jpr5 merged 1 commit into
mainfrom
fix/ci-hardening

Conversation

@jpr5
Copy link
Copy Markdown
Contributor

@jpr5 jpr5 commented May 15, 2026

Summary

  • SHA-pin all GitHub Actions (actions/checkout, actions/setup-node,
    pnpm/action-setup, slackapi/slack-github-action) to immutable
    commit SHAs with version comments
  • Add persist-credentials: false to all actions/checkout steps to
    prevent token leakage in a public repo
  • Add top-level permissions: contents: read to enforce least-privilege
    on the workflow's GITHUB_TOKEN

Why

Public repos are vulnerable to supply-chain attacks via tag-mutable
action references. SHA-pinning ensures the exact code that was audited
is what runs. Restricting token permissions and persistence limits blast
radius if a dependency is compromised.

Test plan

  • CI passes on this PR (smoke + lint on all matrix entries)
  • Slack notification step still resolves correctly

@jpr5
Harden CI: SHA-pin all actions, add persist-credentials: false
7df6f99 
- SHA-pin actions/checkout, actions/setup-node, pnpm/action-setup,
  and slackapi/slack-github-action to immutable commit SHAs
- Add persist-credentials: false to all checkout steps to limit
  token exposure in a public repo
- Add top-level permissions: contents: read to enforce least
  privilege
@jpr5 jpr5 merged commit cc79841 into main May 15, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jpr5