ci: harden CI runners and pin actions to SHA digests#110
Merged
Conversation
## What Add step-security/harden-runner with egress audit policy to all workflow jobs and pin all GitHub Actions and Docker image references to full SHA digests. Apply least-privilege permissions by adding top-level `permissions: contents: read` to workflows missing it and scoping elevated permissions to the job level. ## Why Unpinned action references (version tags, `latest`) are mutable and vulnerable to supply-chain attacks where a compromised tag could execute arbitrary code in CI. Harden-runner provides network egress visibility to detect unexpected outbound calls. Top-level read-only permissions with job-level escalation follows the principle of least privilege. ## Notes - harden-runner is set to `audit` mode (observe-only), not `block` — no existing workflows should break, but this means malicious egress won't be blocked yet - The `mark-ready-when-ready.yml` permissions were restructured: moved from workflow-level to job-level, which is a behavioral change if additional jobs are added later Signed-off-by: jmeridth <jmeridth@gmail.com>
3499c17 to
0465f88
Compare
zkoppert
approved these changes
Mar 14, 2026
Contributor
zkoppert
left a comment
There was a problem hiding this comment.
LGTM! All 5 SHA pins verified against their claimed version tags and all are at the latest release. Permissions restructuring on mark-ready-when-ready.yml looks correct. Harden-runner applied consistently across all 11 jobs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add step-security/harden-runner with egress audit policy to all workflow jobs and pin all GitHub Actions and Docker image references to full SHA digests. Apply least-privilege permissions by adding top-level
permissions: contents: readto workflows missing it and scoping elevated permissions to the job level.Why
Unpinned action references (version tags,
latest) are mutable and vulnerable to supply-chain attacks where a compromised tag could execute arbitrary code in CI. Harden-runner provides network egress visibility to detect unexpected outbound calls. Top-level read-only permissions with job-level escalation follows the principle of least privilege.Notes
auditmode (observe-only), notblock— no existing workflows should break, but this means malicious egress won't be blocked yetmark-ready-when-ready.ymlpermissions were restructured: moved from workflow-level to job-level, which is a behavioral change if additional jobs are added later