Skip to content

ci: add read-only token permissions and pin all action references to SHAs#908

Open
Alb3e3 wants to merge 1 commit into
xiph:masterfrom
Alb3e3:harden-workflow-permissions
Open

ci: add read-only token permissions and pin all action references to SHAs#908
Alb3e3 wants to merge 1 commit into
xiph:masterfrom
Alb3e3:harden-workflow-permissions

Conversation

@Alb3e3

@Alb3e3 Alb3e3 commented Jun 11, 2026

Copy link
Copy Markdown

Summary

All five CI workflows lacked a top-level permissions: block, leaving
each run to inherit the repository default (potentially write-all).
Each workflow now has permissions: read-all at the top level.

Every action reference using a mutable version tag was pinned to its
full commit SHA (17 pins total), including actions/checkout,
actions/upload-artifact, KyleMayes/install-llvm-action,
msys2/setup-msys2, and the OSS-Fuzz cifuzz actions.

Verification

uvx zizmor --min-severity high .github/workflows/

Result: no findings after this patch (was 17 high-severity before).

…SHAs

All CI workflows lacked a top-level permissions block, leaving each run
to inherit the repository default (potentially write-all). Each workflow
now has `permissions: read-all` at the top level.

Every action reference that used a mutable version tag was pinned to its
full commit SHA, preventing silent tag-rewriting supply-chain attacks.

Verified with zizmor --min-severity high: no findings after this patch.

Signed-off-by: Alb3e3 <tomaska.filip@gmail.com>
@Alb3e3 Alb3e3 force-pushed the harden-workflow-permissions branch from 63159e2 to 76aeb59 Compare June 11, 2026 22:28
@ktmf01

ktmf01 commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Every action reference using a mutable version tag was pinned to its full commit SHA (17 pins total), including actions/checkout, actions/upload-artifact, KyleMayes/install-llvm-action, msys2/setup-msys2, and the OSS-Fuzz cifuzz actions.

Why?

@Alb3e3

Alb3e3 commented Jul 1, 2026

Copy link
Copy Markdown
Author

The reason is supply-chain control: a version tag is mutable, so a workflow can start running different action code without any change in this repository. Pinning to a commit SHA makes action updates explicit and reviewable, and the explicit read-only permissions limit the repository token available if an action is ever compromised.

That said, I agree there is a maintenance tradeoff, especially for provider-owned actions like actions/checkout / actions/upload-artifact and for the Google OSS-Fuzz actions. The higher-value part here is the explicit read-only token permissions, and if you want SHA pins at all, the narrowest target is the non-provider third-party action (msys2/setup-msys2).

If that better matches the project's policy, I can re-scope this PR to keep the permission blocks and only pin msys2/setup-msys2, leaving GitHub-owned and Google-maintained actions on their normal version refs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants