Skip to content

fix: harden GitHub Actions workflows#4553

Merged
fzipi merged 1 commit into
mainfrom
fix/harden-gha-workflows
Mar 16, 2026
Merged

fix: harden GitHub Actions workflows#4553
fzipi merged 1 commit into
mainfrom
fix/harden-gha-workflows

Conversation

@fzipi
Copy link
Copy Markdown
Member

@fzipi fzipi commented Mar 16, 2026

what

  • pin all third-party actions to commit SHAs instead of mutable tags
  • add explicit minimal permissions blocks to all workflows missing them
  • move user-controlled GitHub context values (github.base_ref, github.head_ref, github.event.head_commit.message) from inline ${{ }} interpolation to env: blocks to prevent script injection in lint.yaml

why

several workflows had security gaps that could be exploited by bots or malicious contributors:

  • supply chain risk: gregsdennis/dependencies-action@main, thollander/actions-comment-pull-request@v3, and actions/cache@v4 were pinned to mutable refs (branches/tags) instead of immutable commit SHAs. a compromised upstream could inject arbitrary code into CI runs
  • overly broad permissions: test.yml, lint.yaml, and stale.yml relied on default GITHUB_TOKEN permissions (which can be broad depending on org settings) instead of declaring the minimum required
  • script injection: lint.yaml interpolated user-controlled values (github.head_ref, github.event.head_commit.message) directly into run: shell scripts via ${{ }}, which expands before the shell sees the value — a crafted branch name or commit message could break out of quoting and execute arbitrary commands

refs

@fzipi
fix: harden GitHub Actions workflows against supply chain and injecti…
9975981 
…on attacks

- pin all third-party actions to commit SHAs instead of mutable tags
- add explicit minimal permissions blocks to all workflows
- move user-controlled GitHub context values to env vars to prevent script injection
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 16, 2026

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi fzipi requested a review from a team March 16, 2026 12:48
@fzipi fzipi enabled auto-merge March 16, 2026 12:48
@fzipi fzipi added this pull request to the merge queue Mar 16, 2026
Merged via the queue into main with commit fd136f1 Mar 16, 2026
8 checks passed
@fzipi fzipi deleted the fix/harden-gha-workflows branch March 16, 2026 12:49
@fzipi fzipi mentioned this pull request Apr 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@M4tteoP M4tteoP M4tteoP approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fzipi @M4tteoP