ci: add read-only token permissions and pin all action references to SHAs#908
ci: add read-only token permissions and pin all action references to SHAs#908Alb3e3 wants to merge 1 commit into
Conversation
…SHAs All CI workflows lacked a top-level permissions block, leaving each run to inherit the repository default (potentially write-all). Each workflow now has `permissions: read-all` at the top level. Every action reference that used a mutable version tag was pinned to its full commit SHA, preventing silent tag-rewriting supply-chain attacks. Verified with zizmor --min-severity high: no findings after this patch. Signed-off-by: Alb3e3 <tomaska.filip@gmail.com>
63159e2 to
76aeb59
Compare
Why? |
|
The reason is supply-chain control: a version tag is mutable, so a workflow can start running different action code without any change in this repository. Pinning to a commit SHA makes action updates explicit and reviewable, and the explicit read-only permissions limit the repository token available if an action is ever compromised. That said, I agree there is a maintenance tradeoff, especially for provider-owned actions like If that better matches the project's policy, I can re-scope this PR to keep the permission blocks and only pin |
Summary
All five CI workflows lacked a top-level
permissions:block, leavingeach run to inherit the repository default (potentially write-all).
Each workflow now has
permissions: read-allat the top level.Every action reference using a mutable version tag was pinned to its
full commit SHA (17 pins total), including
actions/checkout,actions/upload-artifact,KyleMayes/install-llvm-action,msys2/setup-msys2, and the OSS-Fuzz cifuzz actions.Verification
Result: no findings after this patch (was 17 high-severity before).