Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.github: Harden action workflows #787

Merged
merged 3 commits into from
Mar 21, 2025
Merged

.github: Harden action workflows #787

merged 3 commits into from
Mar 21, 2025

Conversation

pdgendt
Copy link
Collaborator

@pdgendt pdgendt commented Mar 20, 2025

Some improvements to the Github workflows:

  • Pin action version hashes
  • Set explicit default permission
  • Add a dependabot configuration to check for updates

pdgendt added 3 commits March 20, 2025 15:41
@pdgendt
.github: Pin action hashes
577d232 
Pin action version tags to their hash to harden the workflows.

Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
@pdgendt
.github: Set default workflow permissions
5c00767 
Limit workflow permissions to the minimum needed and make it explicit.

Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
@pdgendt
.github: Add a dependabot configuration
37f8304 
Add a dependabot configuration to keep github actions up-to-date.

Copied from the zephyrproject-rtos/zephyr repository.

Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
@marc-hb
Copy link
Collaborator

marc-hb commented Mar 20, 2025

Is there a bit more context for this?

I imagine the idea is to review action changes before upgrading them which sounds more secure in theory but... who is going to actually perform the audit in practice? Or maybe the idea is to just delay the upgrade, hoping someone else's supply chain gets compromised first and finds out first?

@pdgendt
Copy link
Collaborator Author

pdgendt commented Mar 20, 2025
edited
Loading

Is there a bit more context for this?

I imagine the idea is to review action changes before upgrading them which sounds more secure in theory but... who is going to actually perform the audit in practice? Or maybe the idea is to just delay the upgrade, hoping someone else's supply chain gets compromised first and finds out first?

So there has been some fuss around a compromised action, also used in the zephyr repository.
These changes are recommended by the Open Source Security Foundation and similar efforts are being done for zephyr:
zephyrproject-rtos/zephyr#87311
zephyrproject-rtos/zephyr#87254
zephyrproject-rtos/zephyr#87153
zephyrproject-rtos/zephyr#87309
zephyrproject-rtos/zephyr#81812

This is a first step, more will probably follow.

@pdgendt pdgendt merged commit d9fb341 into zephyrproject-rtos:main Mar 21, 2025
16 checks passed
@pdgendt pdgendt deleted the ci-pin-hashes branch March 21, 2025 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kartben kartben kartben approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pdgendt @marc-hb @kartben