Skip to content

Harden CI: SHA-pin all actions, add persist-credentials: false#4

Merged
jpr5 merged 1 commit into
mainfrom
fix/ci-hardening
May 15, 2026
Merged

Harden CI: SHA-pin all actions, add persist-credentials: false#4
jpr5 merged 1 commit into
mainfrom
fix/ci-hardening

Conversation

@jpr5
Copy link
Copy Markdown

@jpr5 jpr5 commented May 15, 2026

Summary

  • SHA-pin all GitHub Actions across all 8 workflow files to prevent
    supply-chain attacks via tag mutation
  • Add persist-credentials: false to all actions/checkout steps
    to limit GITHUB_TOKEN exposure
  • All workflows already had top-level permissions blocks (verified)

Actions pinned

Action Version SHA
actions/checkout v4 34e1148
actions/setup-python v5 a26af69
actions/setup-node v4 49933ea
actions/upload-artifact v4 ea165f8
actions/github-script v7 f28e40c
actions/labeler v5 8558fd7
dependabot/fetch-metadata v2 21025c7
jgehrcke/github-repo-stats RELEASE d80572c
astral-sh/setup-uv v3 caf0cab

Previously pinned (unchanged):

  • tj-actions/changed-files (v46, v47.0.5)
  • actions/download-artifact (v4.3.0)

Findings addressed

  • 3 CRITICAL: unpinned actions (dependabot/fetch-metadata, jgehrcke/github-repo-stats, astral-sh/setup-uv)
  • 4 HIGH: missing persist-credentials: false on checkout steps

Test plan

  • Verify all workflows pass on this PR
  • No workflow logic changed -- only action references and checkout config

@jpr5
Harden CI: SHA-pin all actions, add persist-credentials: false
dd1b2d5 
Pin all GitHub Actions to full commit SHAs to prevent supply-chain
attacks via tag mutation. Add persist-credentials: false to all
checkout steps to limit token exposure. All 8 workflow files updated.

Actions pinned:
- actions/checkout v4 (34e1148)
- actions/setup-python v5 (a26af69)
- actions/setup-node v4 (49933ea)
- actions/upload-artifact v4 (ea165f8)
- actions/github-script v7 (f28e40c)
- actions/labeler v5 (8558fd7)
- dependabot/fetch-metadata v2 (21025c7)
- jgehrcke/github-repo-stats RELEASE (d80572c)
- astral-sh/setup-uv v3 (caf0cab)
@github-actions github-actions Bot added the ci label May 15, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

Latest scan for commit: dd1b2d5 | Updated: 2026-05-15 23:35:01 UTC

Security Scan Results

@jpr5 jpr5 merged commit e7a559e into main May 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jpr5