Harden GitHub Actions security#3001
Merged
ferd merged 11 commits intoerlang:mainfrom Mar 26, 2026
Merged
Conversation
Fix zizmor unpinned-uses audit findings by replacing version tags with full commit hashes for all action references. See: https://docs.zizmor.sh/audits/#unpinned-uses
Set persist-credentials: false on all actions/checkout steps to prevent credential leakage through artifacts. See: https://docs.zizmor.sh/audits/#artipacked
Use shell variable expansion instead of GitHub Actions template expansion to prevent potential code injection. See: https://docs.zizmor.sh/audits/#template-injection
Add explicit permissions block to limit default GITHUB_TOKEN permissions to read-only access. See: https://docs.zizmor.sh/audits/#excessive-permissions
Move contents: write from workflow level to the specific job that needs it, keeping workflow-level permissions read-only. See: https://docs.zizmor.sh/audits/#excessive-permissions
- actions/checkout: v2.7.0/v4.3.1 → v6.0.2 - aws-actions/configure-aws-credentials: v1.7.0 → v4.3.1
Use gh release create/upload instead of the archived actions/create-release and actions/upload-release-asset. See: https://docs.zizmor.sh/audits/#archived-uses
Runs weekly and on pushes/PRs to main branch, analyzing Actions workflow files for security issues.
Runs alongside CodeQL to detect workflow security issues.
Generate SLSA build provenance using actions/attest and include the sigstore bundle alongside the rebar3 escript in releases. Verify with: gh attestation verify rebar3 --owner erlang
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
ferd
approved these changes
Mar 26, 2026
Collaborator
ferd
left a comment
ferd
left a comment
There was a problem hiding this comment.
Sounds good, let's give it a try. If I see it breaks the nightly flows I will assume it might also break the release flow and we can rework things.
This was referenced Apr 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR contains multiple commits improving GitHub Actions security:
persist-credentials: falseto allactions/checkoutusagescontents: readpermissions, scope write permissions to job levelactions/checkout: v2.7.0/v4.3.1 → v6.0.2aws-actions/configure-aws-credentials: v1.7.0 → v4.3.1ghCLI instead of archivedactions/create-releaseandactions/upload-release-assetSimilar changes have already been applied to:
Required Repository Settings
After merging, enable the following repository settings in "Rules" / "Rulesets":
Add "Require code scanning results" with the following tools:
CodeQLzizmorSet "Security Alerts" and "Alert" to "All":
That way PR merges are blocked until all issues have been identified.
References