Skip to content

CI: Harden GHA configuration #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 9, 2025
Merged

CI: Harden GHA configuration #32

merged 3 commits into from
Jul 9, 2025

Conversation

tacaswell
Copy link
Collaborator

@tacaswell tacaswell commented Jul 9, 2025
edited
Loading

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions to read-only

tacaswell added 2 commits July 8, 2025 19:05
@tacaswell
CI: harden GHA configuration
ea07802 
This adjusts the defaults per suggestions of zizmor to
reduce possible risks from giving GHA tasks more permissions
that required.
@tacaswell
CI: Restrict default permissions
f3447dc 
Reduces risk of arbitrary code is run by attacker.
@tacaswell tacaswell changed the title "CI: Harden GHA configuration" CI: Harden GHA configuration Jul 9, 2025
maffettone
maffettone approved these changes Jul 9, 2025
View reviewed changes
Copy link
Collaborator

@maffettone maffettone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failures are not due to GHA hardening.

@maffettone maffettone merged commit 3c04e94 into NSLS2:main Jul 9, 2025
2 of 4 checks passed
@tacaswell tacaswell deleted the harden_gha branch July 9, 2025 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maffettone maffettone maffettone approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tacaswell @maffettone