ci: tighten GitHub Actions workflow security#1328
Open
emptyhammond wants to merge 7 commits into
Open
Conversation
Move `github.event.inputs.version` from inline expressions into step `env:` blocks so the value is interpolated by the shell rather than substituted into the shell command at workflow-rendering time. Addresses zizmor `template-injection` findings in the three packaging steps.
Pin all `uses:` references to immutable commit hashes (with the resolved tag as a trailing comment), so a compromise of an upstream tag cannot silently change what runs in CI. The pinned versions match what the floating tags currently resolve to, so no behaviour change is intended. Addresses zizmor `unpinned-uses` findings.
Set `persist-credentials: false` on every `actions/checkout` step so the GITHUB_TOKEN is not left available to subsequent steps after the checkout completes. None of the workflows push back to the repo, so no compensating change is needed. Addresses zizmor `artipacked` findings.
Add a top-level `permissions: contents: read` block to every workflow so the GITHUB_TOKEN is scoped down from the repo's default rather than relying on whatever the default happens to be. None of these workflows need to write back to the repo (no commits, comments, releases or package publishing happens here), so read-only is enough. Addresses zizmor `excessive-permissions` findings.
The reusable `ably/features/.github/workflows/sdk-features.yml` workflow declares one required secret (`ABLY_AWS_ACCOUNT_ID_SDK`) plus the auto-provided GITHUB_TOKEN, so there is no reason to forward every secret on this repo to it. Replace `secrets: inherit` with an explicit map containing just that secret. Addresses zizmor `secrets-inherit` finding.
Revert the SHA pin on `ably/features/.github/workflows/sdk-features.yml` back to `@main`. This workflow is the SDK feature-spec compliance suite — pinning it freezes the spec under test, which defeats the purpose of running it on every PR. The repo is org-owned and trusted, so the `unpinned-uses` finding is suppressed inline rather than fixed.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughSeven GitHub Actions workflows update permissions, pin action versions, disable checkout credential persistence, explicitly pass one reusable-workflow secret, and route package script version inputs through an environment variable. ChangesGitHub Actions Security Hardening
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
VeskeR
requested changes
Jun 8, 2026
VeskeR
left a comment
VeskeR
left a comment
There was a problem hiding this comment.
Need to fix permissions sdk-features here and in other affected SDKs
| build: | ||
| uses: ably/features/.github/workflows/sdk-features.yml@main | ||
| # Track the live SDK feature spec on main rather than pinning. | ||
| uses: ably/features/.github/workflows/sdk-features.yml@main # zizmor: ignore[unpinned-uses] |
There was a problem hiding this comment.
sdk-features workflow requires permissions:
deployments: write
id-token: write
, but top level configured to only contents: read. This results in an invisible failure during workflow startup, and it's currently broken, see: https://github.com/ably/ably-dotnet/actions/runs/26446846130.
I can see the features workflow is now also broken for at least ably-js and ably-python since the related github actions hardening PRs have landed: ably-js, ably-python.
More SDK repos might be affected. Happy to review the fixes for them too.
The reusable ably/features sdk-features.yml job needs deployments:write and id-token:write (OIDC AWS auth + deployment upload). The top-level contents:read added during workflow hardening stripped these, causing an invisible startup failure of the Features workflow. Grant the required scopes at the build job level (least privilege) and default the top level to no permissions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Routine hardening of the workflows under
.github/workflows/based on a zizmor audit. No CI behaviour changes are intended - pinned action versions match what the floating tags currently resolve to, and the added permissions match what the workflows already do.Summary by CodeRabbit