chore(ci): harden security#302
Merged
gabrielmfern merged 1 commit intoMay 13, 2026
Merged
Conversation
Signed-off-by: gabriel miranda <gabrielmfern@outlook.com>
felipefreitag
approved these changes
May 13, 2026
Contributor
There was a problem hiding this comment.
cubic analysis
No issues found across 14 files
Linked issue analysis
Linked issue: DEV-654: [resend-cli] GH Actions hardening — 0 HIGH / 14 MED / 29 LOW
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Add minimal top-level permissions (e.g. permissions: contents: read) to workflows | Multiple workflow files were modified to include top-level permissions (contents: read), which addresses the 'no top-level permissions' finding. |
| ✅ | Add concurrency: group entries to workflows | The diff adds concurrency group entries (with cancel-in-progress flags) across many workflows, covering the concurrency finding. |
| Set timeout-minutes for jobs that were missing timeouts | The PR adds timeout-minutes to many jobs (examples listed) which addresses the missing-timeout finding in part, but the issue called out 29 jobs and the diff shows many additions without a clear 1:1 confirmation that all 29 were updated. | |
| ✅ | Require environment for release jobs so release paths have environment gating (e.g. required reviewers) | release.yml now sets environment: release on the release job and related jobs, which implements the 'no environment' finding for the release workflow. |
Requires human review: This PR hardens CI/CD security by introducing least-privilege permissions, concurrency controls, and environment gates for releases. While these follow best practices, changes to critical deployment workflows require human verification to ensure process continuity.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Hardened GitHub Actions for
resend-cliby enforcing least-privilege permissions, adding concurrency controls, and setting job timeouts. Publishing is now gated by areleaseenvironment to require reviewers.permissions: contents: readacross workflows; keptcontents: writeonly in the release job.concurrencygroups (ref-based); cancel-in-progress true, exceptpost-releasegrouped by head SHA without cancel.timeout-minutesto all jobs (5–45) to prevent hung runs.release.ymlwithenvironment: releaseand timeouts across test/build/release.Written for commit ade60b9. Summary will update on new commits.