ci: harden github actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @tolgaozen. Please merge the Pull Request to incorporate the requested changes. Please tag @tolgaozen on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. See how popular open-source projects use Harden-Runner here.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

• Chores
  • Hardened CI workflows with runner egress auditing.
  • Pinned third-party actions to immutable commits to improve supply-chain security.
  • Strengthened container image scanning: scans OS and libraries, fails on High/Critical findings, ignores unfixed vulnerabilities.
  • Standardized manual workflow triggers to pinned versions.
  • Clarified workflow permissions with least-privilege defaults (read-only where applicable).

[coderabbitai]

Walkthrough

Adds hardening and pinning to two GitHub Actions workflows. For container scanning, introduces runner hardening, minimal permissions, pins action SHAs, and extends Trivy configuration. For the SDK generator workflow, replaces version tags with pinned SHAs for workflow-dispatch steps.

Changes

Cohort / File(s)	Summary
Container scan hardening and config updates .github/workflows/container-scan.yml	Adds permissions: contents: read; inserts step-security/harden-runner with egress-policy: audit; pins actions/checkout v5.0.0 to a commit; pins aquasecurity/trivy-action 0.33.1 to a commit and configures exit-code: '1', ignore-unfixed: true, vuln-type: 'os,library', severity: 'CRITICAL,HIGH'.
SDK generator: pin dispatch action .github/workflows/sdk-generator.yml	Replaces benc-uk/workflow-dispatch@v1 with a specific commit (noted as v1.2.4) in two places; inputs and behavior otherwise unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant Runner as Runner
  participant Harden as step-security/harden-runner
  participant Checkout as actions/checkout@v5.0.0 (pinned)
  participant Trivy as aquasecurity/trivy-action@0.33.1 (pinned)

  Note over GH: Workflow: container-scan.yml<br/>permissions: contents: read
  GH->>Runner: Start job
  Runner->>Harden: Apply hardening (egress-policy: audit)
  Harden-->>Runner: Network egress audited
  Runner->>Checkout: Checkout repository (pinned SHA)
  Runner->>Trivy: Scan image with configured flags<br/>(exit-code=1, ignore-unfixed, vuln-type=os,library, severity=CRITICAL,HIGH)
  Trivy-->>Runner: Report findings (fails on severity threshold)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add container security scan workflow for vulnerability scanning #2324 — Also updates .github/workflows/container-scan.yml with Trivy configuration and workflow adjustments.
• ci: harden gitHub actions #2031 — Pins GitHub Actions to commit SHAs and adds runner hardening across workflows.
• ci: harden GitHub Actions #1658 — Applies minimal permissions, runner hardening, and action pinning to other workflow files.

Poem

I hop through YAML fields so bright,
Pinning SHAs tight at night.
Hardened runner, fewer woes,
Trivy sniffs where danger grows.
With tidy scans and bounded might—
My paws approve: secure in flight. 🐇🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “ci: harden github actions” clearly and concisely summarizes the primary change, which is implementing security hardening for GitHub Actions workflows in the CI configuration. It uses a common “ci:” prefix to indicate the context and directly references the main intent of the pull request. The phrasing is brief and specific enough for team members to understand the focus at a glance.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23f507f and c84d97a.

📒 Files selected for processing (2)

• .github/workflows/container-scan.yml (1 hunks)
• .github/workflows/sdk-generator.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test with Coverage
• GitHub Check: Analyze (go)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}