fix(ci): pin actions to SHAs and harden injection-prone workflows#2602
Open
fahreddinozcan wants to merge 1 commit into
Open
fix(ci): pin actions to SHAs and harden injection-prone workflows#2602fahreddinozcan wants to merge 1 commit into
fahreddinozcan wants to merge 1 commit into
Conversation
Pin every third-party and first-party action across all 6 workflows to
a full commit SHA (with a version comment), so a compromised action tag
can no longer alter what runs in jobs that hold NPM_TOKEN, AWS keys, or
OIDC. Same pattern recommended by GitHub's hardening docs and OpenSSF.
Other fixes in scope:
- ecr-deploy.yml: route inputs.version and steps.build-push.outputs.digest
through env: vars in the GITHUB_STEP_SUMMARY step so neither is evaluated
as shell. Quote $GITHUB_STEP_SUMMARY.
- mcp-registry.yml: route inputs.version through an env var, validate
against a semver regex, and read VERSION via shell ($VERSION from
$GITHUB_ENV) rather than re-interpolating ${{ env.VERSION }}. Replace
the lossy 'echo \$(jq ...) > server.json' pattern with a temp file +
mv. Pin the mcp-publisher binary to v1.4.0 and verify its SHA-256
before extraction. Hardcode linux/amd64 since runs-on is ubuntu-latest.
- canary-release.yml / release.yml: move 'Configure npm authentication'
from before 'pnpm install' to right before the publish step. NPM_TOKEN
is no longer present in ~/.npmrc while dependency lifecycle scripts
run, so a compromised dep or attacker-influenced branch cannot exfil
the publish token via preinstall/postinstall.
Net: closes the 10 MEDIUM GitHub-Actions findings from the deepsec scan
(2x rce, 6x unpinned-actions, 1x untrusted-branch-checkout, 1x
unverified-binary-download).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the 10 MEDIUM GitHub-Actions findings from a deepsec scan.
${{ inputs.version }}script injection inecr-deploy.yml(AWS keys in scope) andmcp-registry.yml(id-token: writein scope). Both now route throughenv:vars + a semver regex.mcp-publisherbinary before executing: pinned to v1.4.0,sha256sum -c -checked against the release SHA-256.~/.npmrcwrite to afterpnpm installinrelease.ymlandcanary-release.ymlsoNPM_TOKENisn't readable by dependency lifecycle scripts.Test plan
Testworkflow passes on this PRCanary Releaseonce to confirm publish still works with the relocated auth stepPublish to MCP Registryonce to confirm the checksum-verify + extraction pathNotes
skip-changesetlabel (CI-only, no package impact).pnpm/action-setupis pinned to what@v4currently resolves to (b906affc..., a post-v4.4.0 revert by the maintainer). Comment is# v4because the SHA isn't a named release.