Skip to content

Automate GitHub Actions pinning to full-length commit SHAs for improved security #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Automate GitHub Actions pinning to full-length commit SHAs for improved security #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
547ce0e
Initial plan
Copilot Sep 1, 2025
f688e5c
Add GitHub Actions automation script with comprehensive tests and doc…
Copilot Sep 1, 2025
2ce178d
Pin GitHub Actions to full-length commit SHAs for improved security
Copilot Sep 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

- name: Set up Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
with:
node-version: 18

Expand All @@ -36,10 +36,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

- name: Set up Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
with:
node-version: 18

Expand All @@ -56,10 +56,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

- name: Set up Node.js
uses: actions/setup-node@v3
uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610
with:
node-version: 18

Expand Down
69 changes: 69 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ This project contains:
- **SEQICO.sol**: The main ICO contract allowing token purchases with ETH, USDT, and USDC
- **SEQToken.sol**: The ERC20 token contract
- **Deployment scripts**: Two deployment scripts with different configurations
- **GitHub Actions Automation**: Script to pin GitHub Actions to full-length commit SHAs for improved security

## Features

Expand All @@ -23,6 +24,15 @@ This project contains:
- Initial distribution: 10% to owner, 90% to ICO contract
- 500,000 total supply

### GitHub Actions Security Automation
Automated tool to pin GitHub Actions to full-length commit SHAs for improved security:

- **Automatic Detection**: Scans all workflow files for unpinned GitHub Actions
- **Safe Updates**: Fetches the latest commit SHAs and safely replaces version tags
- **Validation**: Ensures YAML remains valid after updates
- **Dry Run Mode**: Preview changes before applying them
- **Comprehensive Testing**: Full test suite with edge case handling

## Setup

1. Install dependencies:
Expand All @@ -44,6 +54,65 @@ npx hardhat run scripts/deploy.js
npx hardhat run scripts/deploy-DE.js
```

## GitHub Actions Security

### Pinning Actions to Commit SHAs

For improved security, this project includes automation to pin GitHub Actions to full-length commit SHAs instead of using version tags. This prevents potential supply chain attacks where malicious code could be injected into new versions of actions.

#### Usage

Preview what would be changed (recommended first):
```bash
npm run pin-actions -- --dry-run
```

Pin all GitHub Actions in workflow files:
```bash
npm run pin-actions
```

With GitHub token for better rate limits:
```bash
GITHUB_TOKEN=your_token_here npm run pin-actions
```

#### Features

- **Smart Detection**: Automatically finds all `.yml` and `.yaml` files in `.github/workflows/`
- **Version Resolution**: Resolves version tags (like `@v3`) to the latest patch version commit SHA
- **Selective Updates**: Only updates unpinned actions, skips already pinned ones
- **Error Handling**: Gracefully handles non-existent repositories and network issues
- **YAML Validation**: Ensures workflow files remain valid after updates
- **Caching**: Caches API responses to minimize GitHub API calls

#### Supported Action Formats

✅ **Will be pinned:**
- `actions/checkout@v3` → `actions/checkout@f43a0e5ff2bd294f1e76c1b0c63c18e4bd`
- `actions/[email protected]` → `actions/setup-node@60edb5d...`
- `company/action@main` → `company/action@abc123...`

❌ **Will be skipped (already secure):**
- `actions/checkout@f43a0e5ff2bd294f1e76c1b0c63c18e4bd` (already pinned)

#### Testing

Run the automation tests:
```bash
npm test
# or specifically
npm run test:pin-actions
```

The test suite covers:
- Workflow file discovery
- Action parsing and identification
- SHA resolution and replacement
- YAML validation
- Dry run functionality
- Error handling for edge cases

## Contract Functions

### SEQICO Contract
Expand Down
Loading
Loading