Skip to content

ci: GitHub Actions workflow security cleanup#132

Open
emptyhammond wants to merge 4 commits into
mainfrom
ci/workflow-security-cleanup
Open

ci: GitHub Actions workflow security cleanup#132
emptyhammond wants to merge 4 commits into
mainfrom
ci/workflow-security-cleanup

Conversation

@emptyhammond
Copy link
Copy Markdown

@emptyhammond emptyhammond commented May 26, 2026

Routine hygiene pass over the GitHub Actions workflow in this repo, addressing findings from a workflow security audit. Changes are split into four commits, one per finding type:

  • Disable credential persistence on actions/checkout steps so the default GITHUB_TOKEN is not left in the local git config after checkout.
  • Scope each job's permissions explicitly: top-level permissions: {}, with each job granted only the GITHUB_TOKEN scopes it actually needs.
  • Move workflow-context expansions (${{ matrix.platform }}, step outputs) out of run: shell source and into env: bindings.
  • Pin all third-party actions to commit SHAs (with the tag preserved as a comment) so an upstream tag move can't silently change what runs in CI.

No behavioural changes intended — the workflow runs the same checks against the same inputs.

@emptyhammond
ci: disable credential persistence on checkout steps
114bfa9 
Set persist-credentials: false on actions/checkout invocations so the
default GITHUB_TOKEN is not persisted in the local git config after
checkout. Workflow steps that need the token continue to use it via
explicit env/secrets references.
@emptyhammond
ci: scope workflow permissions to least privilege
ab5e44c 
Add an empty top-level permissions block and grant each job only the
GITHUB_TOKEN scopes it actually needs. Most jobs only need
contents: read for checkout; code-coverage additionally needs
checks: write for the xcresulttool action; check-documentation
retains its existing scopes for AWS OIDC and deployments;
all-checks-completed needs none.
@emptyhammond
ci: pass workflow context through env vars in run scripts
ae3cd83 
Replace direct ${{ ... }} expansions inside shell run blocks with env
bindings, then reference the resulting variables in the script. This
avoids interpolating workflow context straight into shell source where
a malicious value could be expanded before quoting takes effect.
@emptyhammond
ci: pin third-party actions to commit SHAs
cea054e 
Replace mutable @v<major> / @v<tag> references with the corresponding
immutable commit SHAs (with the human-readable tag retained as a
trailing comment). Pinning prevents an upstream tag move from silently
changing what runs inside our CI.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 26, 2026
edited
Loading

Warning

Review limit reached

@emptyhammond, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 29 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0aae010d-0781-4781-8bf1-f512c1aaab31

📥 Commits

Reviewing files that changed from the base of the PR and between ace39c1 and cea054e.

📒 Files selected for processing (1)
  • .github/workflows/check.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/workflow-security-cleanup

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@emptyhammond emptyhammond marked this pull request as ready for review May 26, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emptyhammond