Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve CI security #158

Merged
merged 4 commits into from
Apr 8, 2024
Merged

Improve CI security #158

merged 4 commits into from
Apr 8, 2024

Commits on Apr 8, 2024

  1. Add dependabot for automated dependency updates 

    Dependabot will perform weekly checks of the Github actions used in CI.
When a newer version is found a pull request is opened to suggest a lift.
    @bjosv
    bjosv committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    0b88815 View commit details
    Browse the repository at this point in the history

  2. Pin versions of Github actions in CI 

    Version tags are mutable, so a malicious attacker could overwrite
a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash ensures the dependency
is immutable and its behavior is guaranteed.

Includes version lift of:
- actions/checkout
- coverallsapp/github-action
    @bjosv
    bjosv committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    ee0381a View commit details
    Browse the repository at this point in the history

  3. Set read-only permission for Github Actions in CI 

    This sets the default permission for CI workflows to only be able to
read from the repository (scope: "contents").

A compromised action will not be able to modify the repo or even
steal secrets since all other permission-scopes are implicit set to "none",
i.e. not permitted.
More about permissions and scope can be found here:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
    @bjosv
    bjosv committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    9d75e6c View commit details
    Browse the repository at this point in the history

  4. Update coveralls options required in v2 

    Option 'path-to-lcov' is deprecated, using 'file' instead.
Using option 'format' to set coverage report format.
    @bjosv
    bjosv committed Apr 8, 2024
    Configuration menu
    Copy the full SHA
    c38bf93 View commit details
    Browse the repository at this point in the history