Skip to content

ci: harden workflow — pin actions to SHA + least-privilege permissions#1

Open
HotSauceHacker wants to merge 3 commits into
mainfrom
ci/harden-actions
Open

ci: harden workflow — pin actions to SHA + least-privilege permissions#1
HotSauceHacker wants to merge 3 commits into
mainfrom
ci/harden-actions

Conversation

@HotSauceHacker

Copy link
Copy Markdown
Owner

Hardens the deploy workflow against supply-chain and token-abuse risks. No triggers, secrets, build/deploy commands, working directories, or D1 backup/migrate steps were changed.

What changed:

  • SHA-pinning every uses: to a full commit SHA (with # vN comment) for supply-chain immutability — mutable tags can be repointed to malicious code.
  • Least-privilege permissions: block (contents: read) to minimize the GITHUB_TOKEN scope.
  • timeout-minutes: 15 on each job to cap runaway/hung runs.
  • concurrency group with cancel-in-progress: true to avoid overlapping deploys.
  • persist-credentials: false on actions/checkout (the git credential is not needed after checkout).

Hold for review; do not auto-merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant