Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Update GitHub Actions workflows #779

Merged
merged 7 commits into from
Jul 19, 2023
Merged

ci: Update GitHub Actions workflows #779

merged 7 commits into from
Jul 19, 2023

Conversation

evansims
Copy link
Member

@evansims evansims commented Jul 19, 2023
edited
Loading

This PR makes the following GitHub Actions workflow changes:

  • It pins the golangci/golangci-lint-action, codecov/codecov-action and goreleaser/goreleaser-action third-party action to full-length commit SHAs of their latest releases.

    Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

  • Adds a pull-request-target.trigger-deferred.yml workflow to capture the pull_request_target event and mitigate security concerns about environmental secret access by forked pull requests. https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

    Combining the pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

  • Updated semgrep.yml to run as a deferred workflow and removed the pull_request_target event trigger. I removed the conditionals around skipping Dependabot and Snykbot checks, as this resolves the permissions issue those conditions were implemented for as a workaround.

  • Bumps goreleaser/goreleaser-action from v3 to v4. I could not identify any breaking changes, but please review and make alterations as necessary.

@codecov-commenter
Copy link

Codecov Report

Patch and project coverage have no change.

Comparison is base (2f4e29e) 72.07% compared to head (db6bd87) 72.07%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #779   +/-   ##
=======================================
  Coverage   72.07%   72.07%           
=======================================
  Files          89       89           
  Lines       11156    11156           
=======================================
  Hits         8041     8041           
  Misses       2613     2613           
  Partials      502      502

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@evansims evansims marked this pull request as ready for review July 19, 2023 03:40
@evansims evansims requested a review from a team as a code owner July 19, 2023 03:40
@willvedd willvedd merged commit e69917f into main Jul 19, 2023
5 checks passed
@willvedd willvedd deleted the chore-security/pin-workflow-actions branch July 19, 2023 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willvedd willvedd willvedd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evansims @codecov-commenter @willvedd