ci: Improve workflow's securiy #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the security and clarity of the GitHub Actions workflows. The key changes include:
- Standardized and tightened permission settings along with disabling credential persistence in workflows.
- Introduction of a new workflow ("Pinact") for pinning repository actions.
- Update to the release preparation process by adding a signing flag to the cargo release command.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/pinact.yml | New workflow for pinning actions with updated security settings |
| .github/workflows/release-prepare.yml | Updated permissions configuration and release signing is now enabled |
| .github/workflows/release-publish.yml | Adjusted permissions for the release job to reduce risk of unintended modifications |
| .github/workflows/ci.yml | Standardized workflow permissions and improved the checkout security options |
Comments suppressed due to low confidence (2)
.github/workflows/release-prepare.yml:72
- Verify that the '--sign' flag is supported in the current environment and ensure that any prerequisites for signing releases are clearly documented.
--sign \
.github/workflows/release-publish.yml:15
- [nitpick] Double-check that reducing the permissions to 'read' will not affect any subsequent steps that might need write access.
contents: read
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
This pull request includes several updates to the GitHub Actions workflows to enhance security and functionality. The most important changes involve adding permissions configurations, introducing a new workflow for pinning actions, and updating existing workflows to improve clarity and security.
Permissions Configuration:
.github/workflows/ci.yml: Added emptypermissionsobject at the workflow level and specified read permissions forcontentsin thebuild-n-testjob. Also, disabled credential persistence for the checkout step..github/workflows/release-prepare.yml: Replaced specific permissions with an emptypermissionsobject at the workflow level and re-added specific permissions for thecrate-release-pull-requestjob. Disabled credential persistence for the checkout step..github/workflows/release-publish.yml: Added an emptypermissionsobject at the workflow level and changedcontentspermissions from write to read in thereleasejob. Disabled credential persistence for the checkout step.New Workflow:
.github/workflows/pinact.yml: Introduced a new workflow named "Pinact" to pin actions used in the repository. This includes setting up permissions, specifying the branch to trigger on, and defining steps for checking out the code and pinning actions.Additional Improvements:
.github/workflows/release-prepare.yml: Added the--signflag to thecargo releasecommand to enable signing of the release.