Skip to content

ci: add read-only token permissions and pin all action references to SHAs#1269

Open
Alb3e3 wants to merge 1 commit into
madler:developfrom
Alb3e3:harden-workflow-permissions
Open

ci: add read-only token permissions and pin all action references to SHAs#1269
Alb3e3 wants to merge 1 commit into
madler:developfrom
Alb3e3:harden-workflow-permissions

Conversation

@Alb3e3

@Alb3e3 Alb3e3 commented Jun 11, 2026

Copy link
Copy Markdown

Summary

All seven CI workflows lacked a top-level permissions: block, so each
run inherited the repository default, which can be write-all on permissive
settings. Every workflow now has permissions: read-all at the top
level, restricting the GITHUB_TOKEN to the minimum required for build and
test jobs.

In addition, every action reference that used a mutable version tag was
pinned to its full commit SHA. A tag can be silently moved; a SHA
cannot.

Actions pinned

Action From To
actions/checkout @v6 @df4cb1c (v6.0.3)
actions/checkout @v4 @11bd719 (v4.2.2)
actions/upload-artifact @v6 @b7c566a (v6)
msys2/setup-msys2 @v2 @e989830 (v2)
cygwin/cygwin-install-action @master @781ea34
vmactions/dragonflybsd-vm @v1 @4ba8127
vmactions/freebsd-vm @v1 @a6de934
vmactions/netbsd-vm @v1 @99816dc
vmactions/omnios-vm @v1 @d42d894
vmactions/openbsd-vm @v1 @fcf799d
vmactions/solaris-vm @v1 @d30dd6c
google/oss-fuzz/.../build_fuzzers @master @439b356
google/oss-fuzz/.../run_fuzzers @master @439b356

Verification

uvx zizmor --min-severity medium .github/workflows/

Result: 0 high-severity findings after this patch (down from 26).
The remaining 3 medium findings are style warnings about read-all being
broader than individual per-permission declarations — they are not a
regression and reflect the same posture as adding permissions: read-all
to any workflow.

…SHAs

All seven CI workflows lacked a top-level permissions block, so they
inherited the repository default (potentially write-all).  Each workflow
now has `permissions: read-all` at the top level.

In addition, every action reference that used a mutable version tag was
pinned to its full commit SHA, eliminating the supply-chain risk from a
tag being silently moved:

- actions/checkout@v6 → @df4cb1c (v6.0.3)
- actions/checkout@v4 → @11bd719 (v4.2.2)
- actions/upload-artifact@v6 → @b7c566a (v6)
- msys2/setup-msys2@v2 → @e989830 (v2)
- cygwin/cygwin-install-action@master → @781ea34
- vmactions/dragonflybsd-vm@v1 → @4ba8127
- vmactions/freebsd-vm@v1 → @a6de934
- vmactions/netbsd-vm@v1 → @99816dc
- vmactions/omnios-vm@v1 → @d42d894
- vmactions/openbsd-vm@v1 → @fcf799d
- vmactions/solaris-vm@v1 → @d30dd6c
- google/oss-fuzz/.../build_fuzzers@master → @439b356
- google/oss-fuzz/.../run_fuzzers@master → @439b356

Verified with zizmor --min-severity medium: 0 high-severity findings
after this patch (down from 26 before).

Signed-off-by: Alb3e3 <tomaska.filip@gmail.com>
@Alb3e3 Alb3e3 force-pushed the harden-workflow-permissions branch from 6efdf3b to 3927279 Compare June 11, 2026 22:28
@mtl1979

mtl1979 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Pinning to specific commit SHA is a no-go and doesn't magically fix all potential security issues in third-party actions. Most security-related bots actually prefer to pinning to major version tag instead as it will get any new security updates as soon as they are released and if the action is no longer properly maintained, it can be tagged as such.

Only Python allows setting minimum (and maximum) version for dependencies thus avoiding both breaking changes and known vulnerable or broken releases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants