security: harden GitHub Actions and repository configuration#1105
security: harden GitHub Actions and repository configuration#1105timothyfroehlich merged 3 commits intomainfrom
Conversation
Pin all action references to commit SHAs with version comments, add persist-credentials: false to all checkout steps, enforce zizmor and pinact in CI and local checks, add harden-runner audit mode to all jobs, delete unused claude.yml workflow, remove stale package-lock.json, and add CODEOWNERS for sensitive paths. Bead: PinPoint-hpma Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Updates to Preview Branch (feat/github-hardening) ↗︎
Tasks are run on every commit but only new migration files are pushed.
View logs for this Workflow Run ↗︎. |
There was a problem hiding this comment.
Pull request overview
Hardens the repository’s GitHub Actions posture by pinning action refs, tightening default workflow permissions, adding runner hardening, and enforcing workflow security checks in CI/local linting.
Changes:
- SHA-pin GitHub Actions
uses:references and addpersist-credentials: falseto manyactions/checkoutsteps. - Add
step-security/harden-runner(audit mode) broadly, and set workflow-levelpermissions: read-allfor key workflows. - Enforce workflow security via zizmor + pinact in CI and
pnpm run check:linters; add CODEOWNERS for sensitive paths; remove unused.github/workflows/claude.yml.
Reviewed changes
Copilot reviewed 10 out of 12 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Extends check:linters to include zizmor + pinact verification. |
| docs/superpowers/specs/2026-03-10-github-hardening-design.md | Adds design/spec for GitHub hardening approach and scope. |
| .gitignore | Ignores package-lock.json in a pnpm-managed repo. |
| .github/workflows/weekly-security-review.lock.yml | Normalizes pinned action version comments (no behavior change expected). |
| .github/workflows/weekly-changelog.lock.yml | Normalizes pinned action version comments (no behavior change expected). |
| .github/workflows/supabase-branch-setup.yaml | Pins actions used for Supabase preview branch setup. |
| .github/workflows/pr-screenshots.yml | Adds workflow-level read-only defaults, harden-runner, pins actions, and disables checkout credential persistence. |
| .github/workflows/cleanup-screenshots.yml | Adds harden-runner and pins checkout + disables credential persistence. |
| .github/workflows/claude.yml | Removes unused workflow with elevated permissions. |
| .github/workflows/ci.yml | Adds workflow-level permissions defaults, harden-runner everywhere, pins actions, and adds zizmor + pinact enforcement. |
| .github/CODEOWNERS | Requires owner review for sensitive paths (workflows, DB, auth/permissions). |
- Pin zizmor to v1.23.1 (like Ruff is pinned) - Use pinact-action instead of manual curl install - Include .yaml extension in actionlint/zizmor find commands - Add persist-credentials: false to supabase-branch-setup.yaml - Add permissions: read-all to supabase-branch-setup.yaml - Fix SC2097/SC2098 in supabase-branch-setup.yaml (use env: block) - Fix design doc inaccuracy about cleanup-screenshots.yml permissions - Fix misleading "auto-merges" wording in CODEOWNERS and design doc Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
timothyfroehlich
added
the
ready-for-review
# Conflicts: # .github/workflows/ci.yml # .github/workflows/weekly-changelog.lock.yml # .github/workflows/weekly-security-review.lock.yml
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 12 changed files in this pull request and generated 2 comments.
You can also share your feedback on Copilot code review. Take the survey.
| dl="https://raw.githubusercontent.com/rhysd/actionlint" | ||
| dl="${dl}/main/scripts/download-actionlint.bash" |
There was a problem hiding this comment.
This executes a remote script fetched from a floating branch (.../main/...) at CI runtime, which undermines the action-SHA pinning hardening goal and creates a supply-chain risk. Use a pinned commit URL for the script (or vendor it in-repo), and ideally add integrity verification (e.g., checksum/signature) for the downloaded actionlint binary/script.
| dl="https://raw.githubusercontent.com/rhysd/actionlint" | |
| dl="${dl}/main/scripts/download-actionlint.bash" | |
| # Use a pinned commit for the download-actionlint.bash script to avoid floating main branch | |
| dl="https://raw.githubusercontent.com/rhysd/actionlint/8de2549512de917fe01cfbc286f67ab83f255068/scripts/download-actionlint.bash" |
| types: [opened, reopened, synchronize] | ||
| branches: [main] | ||
|
|
||
| permissions: read-all # zizmor: ignore[excessive-permissions] |
There was a problem hiding this comment.
Using permissions: read-all plus suppressing zizmor’s excessive-permissions finding weakens the least-privilege posture. Since this workflow appears to need specific reads (e.g., likely checks: read for action-wait-for-check and contents: read for checkout), set explicit minimal scopes instead of read-all, and drop the ignore directive once scoped.
| permissions: read-all # zizmor: ignore[excessive-permissions] | |
| permissions: | |
| contents: read | |
| checks: read |
Summary
actions/checkoutsteps (fixes 20 zizmor artipacked findings).ci.yml,pr-screenshots.yml. Jobs needing writes declare explicitly.step-security/harden-runneras first step in every CI job. Observe-only for now; follow-up beadPinPoint-oa6bto switch to block mode after one week.pnpm run check:linters. Any unpinned action or workflow security issue fails CI..github/workflows/,supabase/,drizzle/,src/middleware.ts,src/lib/permissions/) require owner review.claude.ymlworkflow (hadid-token: write), removed stalepackage-lock.json(17k-line npm lockfile in pnpm project causing false Dependabot alerts).Test plan
pnpm run checkpasses locally (all linters, unit tests, type checks)zizmor --min-severity lowreports 0 findingspinact run --verifyexits cleanyamllint+actionlintpass on all workflow files🤖 Generated with Claude Code