Skip to content

fix(ci): harden workflows against injection #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LuisUrrutia wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ci): harden workflows against injection #337

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/actions/auth-token/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
name: Resolve Authentication Token
description: |
Selects between a GitHub App token and the default GITHUB_TOKEN.
Uses the app token when credentials are available and the workflow
is not triggered from a fork.

inputs:
app-id:
description: GitHub App ID
required: false
default: ''
private-key:
description: GitHub App private key
required: false
default: ''
is-fork:
description: Whether the PR is from a fork
required: false
default: 'false'

outputs:
token:
description: The resolved authentication token
value: ${{ steps.select.outputs.token }}

runs:
using: composite
steps:
- name: Check if app creds exist
id: has-app
shell: bash
env:
IS_FORK: ${{ inputs.is-fork }}
APP_ID: ${{ inputs.app-id }}
PRIVATE_KEY: ${{ inputs.private-key }}
run: |
present=true
if [ "$IS_FORK" = "true" ]; then present=false; fi
if [ -z "$APP_ID" ] || [ -z "$PRIVATE_KEY" ]; then present=false; fi
echo "present=$present" >> "$GITHUB_OUTPUT"

- uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
id: gh-app-token
if: steps.has-app.outputs.present == 'true'
with:
app-id: ${{ inputs.app-id }}
private-key: ${{ inputs.private-key }}

- name: Select token
id: select
shell: bash
env:
HAS_APP: ${{ steps.has-app.outputs.present }}
APP_TOKEN: ${{ steps.gh-app-token.outputs.token }}
FALLBACK_TOKEN: ${{ github.token }}
run: |
if [ "$HAS_APP" = "true" ]; then
echo "token=$APP_TOKEN" >> "$GITHUB_OUTPUT"
else
echo "token=$FALLBACK_TOKEN" >> "$GITHUB_OUTPUT"
fi
9 changes: 7 additions & 2 deletions .github/actions/prepare/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ description: |
inputs:
token:
required: true
fetch-depth:
description: Number of commits to fetch (0 for full history)
required: false
default: '1'

runs:
using: composite
Expand All @@ -14,13 +18,14 @@ runs:
with:
token: ${{ inputs.token }}
persist-credentials: true
fetch-depth: ${{ inputs.fetch-depth }}
Copy link
Contributor

@tirumerla tirumerla Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can probably remove whole checkout action here, since we are already fetching full history from checkout in the parent workflow. Lets avoiding duplicating checkouts.


- uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
with:
run_install: false

- name: Use node@22
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22.18.0
cache: 'pnpm'
Expand Down
36 changes: 13 additions & 23 deletions .github/workflows/check-versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ on:
- develop
- "release/**"

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -25,41 +29,27 @@ jobs:
with:
egress-policy: audit

- name: Check if app creds exist (base repo only)
id: has-app
run: |
present=true
if [ "${{ github.event.pull_request.head.repo.fork || false }}" = "true" ]; then present=false; fi
if [ -z "${{ vars.GH_APP_ID }}" ] || [ -z "${{ secrets.GH_APP_PRIVATE_KEY }}" ]; then present=false; fi
echo "present=$present" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
id: gh-app-token
if: steps.has-app.outputs.present == 'true'
- name: Resolve authentication token
id: auth
uses: ./.github/actions/auth-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Select token
id: auth
run: |
if [ "${{ steps.has-app.outputs.present }}" = "true" ]; then
echo "token=${{ steps.gh-app-token.outputs.token }}" >> "$GITHUB_OUTPUT"
else
echo "token=${{ github.token }}" >> "$GITHUB_OUTPUT"
fi

- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
is-fork: ${{ github.event.pull_request.head.repo.fork || false }}

- name: Prepare pre-requisites
uses: ./.github/actions/prepare
with:
token: ${{ steps.auth.outputs.token }}

- name: Configure npm authentication for npm registry
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc

- name: Install dependencies
run: pnpm install
Expand Down
42 changes: 13 additions & 29 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
pull_request:
branches: [main]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -18,51 +22,33 @@ jobs:
permissions:
contents: read

strategy:
matrix:
node-version: [22.x]

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit

- name: Check if app creds exist (base repo only)
id: has-app
run: |
present=true
if [ "${{ github.event.pull_request.head.repo.fork || false }}" = "true" ]; then present=false; fi
if [ -z "${{ vars.GH_APP_ID }}" ] || [ -z "${{ secrets.GH_APP_PRIVATE_KEY }}" ]; then present=false; fi
echo "present=$present" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
id: gh-app-token
if: steps.has-app.outputs.present == 'true'
- name: Resolve authentication token
id: auth
uses: ./.github/actions/auth-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Select token
id: auth
run: |
if [ "${{ steps.has-app.outputs.present }}" = "true" ]; then
echo "token=${{ steps.gh-app-token.outputs.token }}" >> "$GITHUB_OUTPUT"
else
echo "token=${{ github.token }}" >> "$GITHUB_OUTPUT"
fi

- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
is-fork: ${{ github.event.pull_request.head.repo.fork || false }}

- name: Prepare pre-requisites
uses: ./.github/actions/prepare
with:
token: ${{ steps.auth.outputs.token }}

- name: Configure npm authentication for npm registry
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc

- name: Install dependencies
run: pnpm install
Expand All @@ -77,5 +63,3 @@ jobs:

- name: Test
run: pnpm test
# It's okay if no tests exist yet
continue-on-error: true
36 changes: 13 additions & 23 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
pull_request:
branches: [main]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -23,41 +27,27 @@ jobs:
with:
egress-policy: audit

- name: Check if app creds exist (base repo only)
id: has-app
run: |
present=true
if [ "${{ github.event.pull_request.head.repo.fork || false }}" = "true" ]; then present=false; fi
if [ -z "${{ vars.GH_APP_ID }}" ] || [ -z "${{ secrets.GH_APP_PRIVATE_KEY }}" ]; then present=false; fi
echo "present=$present" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
id: gh-app-token
if: steps.has-app.outputs.present == 'true'
- name: Resolve authentication token
id: auth
uses: ./.github/actions/auth-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Select token
id: auth
run: |
if [ "${{ steps.has-app.outputs.present }}" = "true" ]; then
echo "token=${{ steps.gh-app-token.outputs.token }}" >> "$GITHUB_OUTPUT"
else
echo "token=${{ github.token }}" >> "$GITHUB_OUTPUT"
fi

- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
is-fork: ${{ github.event.pull_request.head.repo.fork || false }}

- name: Prepare pre-requisites
uses: ./.github/actions/prepare
with:
token: ${{ steps.auth.outputs.token }}

- name: Configure npm authentication for npm registry
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc

- name: Install dependencies
run: pnpm install
Expand Down
31 changes: 8 additions & 23 deletions .github/workflows/dependencies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,41 +22,26 @@ jobs:
with:
egress-policy: audit

- name: Check if app creds exist (base repo only)
id: has-app
run: |
present=true
if [ "${{ github.event.pull_request.head.repo.fork || false }}" = "true" ]; then present=false; fi
if [ -z "${{ vars.GH_APP_ID }}" ] || [ -z "${{ secrets.GH_APP_PRIVATE_KEY }}" ]; then present=false; fi
echo "present=$present" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
id: gh-app-token
if: steps.has-app.outputs.present == 'true'
- name: Resolve authentication token
id: auth
uses: ./.github/actions/auth-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Select token
id: auth
run: |
if [ "${{ steps.has-app.outputs.present }}" = "true" ]; then
echo "token=${{ steps.gh-app-token.outputs.token }}" >> "$GITHUB_OUTPUT"
else
echo "token=${{ github.token }}" >> "$GITHUB_OUTPUT"
fi

- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Prepare pre-requisites
uses: ./.github/actions/prepare
with:
token: ${{ steps.auth.outputs.token }}

- name: Configure npm authentication for npm registry
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc
echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc

- name: Install dependencies
run: pnpm install
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/docker-prod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
# Prevent multiple production deployments from running simultaneously
concurrency:
group: production-deployment
cancel-in-progress: true
cancel-in-progress: false

permissions:
contents: read
Expand All @@ -30,7 +30,7 @@ jobs:
ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit

Expand All @@ -50,14 +50,15 @@ jobs:
uses: ./.github/actions/prepare
with:
token: ${{ steps.gh-app-token.outputs.token }}
fetch-depth: '0'

- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
with:
platforms: 'arm64'

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Set up AWS credentials via OIDC and role chaining
uses: ./.github/actions/oidc
Expand Down Expand Up @@ -136,7 +137,7 @@ jobs:
id-token: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit

Expand All @@ -151,4 +152,4 @@ jobs:

- name: AWS ECS force new deployment
run: |
aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION
aws ecs update-service --cluster "$ECS_CLUSTER" --service "$ECS_SERVICE" --force-new-deployment --region "$AWS_REGION"
Loading