What task are you trying to do?
Harden the baseline security of our GitHub Actions workflows in line with current (2025-2026) GitHub and supply-chain best practices, so a third-party Action compromise or a leaked checkout token cannot easily become a supply-chain incident for PawWork users downloading our signed DMG.
What do you do today?
Today our four workflows (.github/workflows/{ci,desktop-smoke,e2e-artifacts,build}.yml) pin third-party Actions to major tags only (e.g. oven-sh/setup-bun@v2, mikepenz/action-junit-report@v6, actions/cache@v4), not commit SHAs. There is no .github/dependabot.yml for the github-actions ecosystem, so even if we SHA-pinned today the pins would rot silently. Only e2e-artifacts.yml sets persist-credentials: false on its actions/checkout step; the other three workflows leave the default true, which writes GITHUB_TOKEN into .git/config on the runner where any later step (or uploaded artifact) could leak it.
What would a good result look like?
- All third-party Actions in
.github/workflows/*.yml are pinned to full commit SHAs, with the version tag preserved as a trailing comment for readability. First-party actions/* and github/* Actions stay on major tags per GitHub's own guidance.
- A
.github/dependabot.yml exists with package-ecosystem: "github-actions" on a weekly schedule, and uses the cooldown: { default-days: 5 } setting so freshly published tags are not auto-bumped for 5 days (blunts the tj-actions-style attack window).
- Every
actions/checkout step that does not need to push back to git has persist-credentials: false set explicitly.
- The existing workflow contract test at
packages/opencode/test/config/e2e-artifacts-workflow.test.ts (and any sibling workflow tests) still passes after the changes.
Which audience does this matter to most?
Both
Extra context
- Supply-chain background: CVE-2025-30066 tj-actions/changed-files — attacker retroactively rewrote version tags across ~23k repos; SHA-pinned consumers were unaffected.
- GitHub reference: Secure use reference now recommends SHA-pinning for third-party Actions.
- Dependabot
cooldown support landed 2025-07.
- Explicitly out of scope for this issue, may be split into follow-ups:
actions/attest-build-provenance@v2 on build.yml (SLSA v1 Build L2 for the notarized DMG)step-security/harden-runner in audit mode on the release job- Per-job
permissions: tightening audit (only ci.yml#unit currently needs checks: write; others already inherit the workflow-level contents: read)
- Playwright blob reporter +
merge-reports (only relevant once e2e becomes sharded / blocking)
- Related: #24 (non-blocking e2e-artifacts hardening, P3)
What task are you trying to do?
Harden the baseline security of our GitHub Actions workflows in line with current (2025-2026) GitHub and supply-chain best practices, so a third-party Action compromise or a leaked checkout token cannot easily become a supply-chain incident for PawWork users downloading our signed DMG.
What do you do today?
Today our four workflows (
.github/workflows/{ci,desktop-smoke,e2e-artifacts,build}.yml) pin third-party Actions to major tags only (e.g.oven-sh/setup-bun@v2,mikepenz/action-junit-report@v6,actions/cache@v4), not commit SHAs. There is no.github/dependabot.ymlfor thegithub-actionsecosystem, so even if we SHA-pinned today the pins would rot silently. Onlye2e-artifacts.ymlsetspersist-credentials: falseon itsactions/checkoutstep; the other three workflows leave the defaulttrue, which writesGITHUB_TOKENinto.git/configon the runner where any later step (or uploaded artifact) could leak it.What would a good result look like?
.github/workflows/*.ymlare pinned to full commit SHAs, with the version tag preserved as a trailing comment for readability. First-partyactions/*andgithub/*Actions stay on major tags per GitHub's own guidance..github/dependabot.ymlexists withpackage-ecosystem: "github-actions"on a weekly schedule, and uses thecooldown: { default-days: 5 }setting so freshly published tags are not auto-bumped for 5 days (blunts the tj-actions-style attack window).actions/checkoutstep that does not need to push back to git haspersist-credentials: falseset explicitly.packages/opencode/test/config/e2e-artifacts-workflow.test.ts(and any sibling workflow tests) still passes after the changes.Which audience does this matter to most?
Both
Extra context
cooldownsupport landed 2025-07.actions/attest-build-provenance@v2onbuild.yml(SLSA v1 Build L2 for the notarized DMG)step-security/harden-runnerin audit mode on the release jobpermissions:tightening audit (onlyci.yml#unitcurrently needschecks: write; others already inherit the workflow-levelcontents: read)merge-reports(only relevant once e2e becomes sharded / blocking)