From 1c79c9e607b0c4d6a21c4b9c4e9f3ca78694079a Mon Sep 17 00:00:00 2001 From: Alb3e3 <74142887+Alb3e3@users.noreply.github.com> Date: Fri, 12 Jun 2026 00:51:42 +0200 Subject: [PATCH] harden CI: add permissions and pin action SHAs Add `permissions: read-all` at the workflow level to enforce least-privilege for all jobs, and pin all third-party action references to full commit SHAs to prevent supply-chain attacks via mutable version tags or branch names. --- .github/workflows/aarch64_linux_bazel.yml | 4 +++- .github/workflows/aarch64_linux_cmake.yml | 4 +++- .github/workflows/aarch64_linux_zig.yml | 6 ++++-- .github/workflows/amd64_linux_bazel.yml | 6 ++++-- .github/workflows/amd64_linux_cmake.yml | 4 +++- .github/workflows/amd64_linux_zig.yml | 6 ++++-- .github/workflows/amd64_macos_bazel.yml | 4 +++- .github/workflows/amd64_macos_cmake.yml | 6 ++++-- .github/workflows/amd64_macos_zig.yml | 6 ++++-- .github/workflows/amd64_windows_bazel.yml | 4 +++- .github/workflows/amd64_windows_cmake.yml | 4 +++- .github/workflows/amd64_windows_zig.yml | 6 ++++-- .github/workflows/arm64_macos_bazel.yml | 4 +++- .github/workflows/arm64_macos_cmake.yml | 6 ++++-- .github/workflows/arm64_macos_zig.yml | 6 ++++-- .github/workflows/arm_linux_cmake.yml | 4 +++- .github/workflows/clang_format.yml | 4 +++- .github/workflows/mips_linux_cmake.yml | 4 +++- .github/workflows/power_linux_cmake.yml | 4 +++- .github/workflows/riscv_linux_cmake.yml | 4 +++- .github/workflows/s390x_linux_cmake.yml | 4 +++- .github/workflows/zig.yml | 6 ++++-- 22 files changed, 75 insertions(+), 31 deletions(-) diff --git a/.github/workflows/aarch64_linux_bazel.yml b/.github/workflows/aarch64_linux_bazel.yml index fcbd2dd5..d0b6a7e4 100644 --- a/.github/workflows/aarch64_linux_bazel.yml +++ b/.github/workflows/aarch64_linux_bazel.yml @@ -7,13 +7,15 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the GitHub runner environement directly. bazel: runs-on: ubuntu-24.04-arm steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=bazel/ci arm64_build - name: Test diff --git a/.github/workflows/aarch64_linux_cmake.yml b/.github/workflows/aarch64_linux_cmake.yml index 9390d837..1286887b 100644 --- a/.github/workflows/aarch64_linux_cmake.yml +++ b/.github/workflows/aarch64_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -21,7 +23,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/aarch64_linux_zig.yml b/.github/workflows/aarch64_linux_zig.yml index 5da6fbd2..a08e8aa3 100644 --- a/.github/workflows/aarch64_linux_zig.yml +++ b/.github/workflows/aarch64_linux_zig.yml @@ -2,6 +2,8 @@ name: aarch64 Linux Zig on: [push, pull_request] +permissions: read-all + jobs: run: strategy: @@ -11,8 +13,8 @@ jobs: - aarch64-linux-gnu runs-on: ubuntu-24.04-arm steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - name: Build diff --git a/.github/workflows/amd64_linux_bazel.yml b/.github/workflows/amd64_linux_bazel.yml index 0872ebe4..3b6d8421 100644 --- a/.github/workflows/amd64_linux_bazel.yml +++ b/.github/workflows/amd64_linux_bazel.yml @@ -7,15 +7,17 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. bazel: runs-on: ubuntu-latest steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4 - name: Check docker run: | docker info diff --git a/.github/workflows/amd64_linux_cmake.yml b/.github/workflows/amd64_linux_cmake.yml index 01545423..b411402b 100644 --- a/.github/workflows/amd64_linux_cmake.yml +++ b/.github/workflows/amd64_linux_cmake.yml @@ -7,12 +7,14 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Env run: make --directory=cmake/ci amd64_env - name: Devel diff --git a/.github/workflows/amd64_linux_zig.yml b/.github/workflows/amd64_linux_zig.yml index 50592ca5..997f0974 100644 --- a/.github/workflows/amd64_linux_zig.yml +++ b/.github/workflows/amd64_linux_zig.yml @@ -2,6 +2,8 @@ name: amd64 Linux Zig on: [push, pull_request] +permissions: read-all + jobs: run: strategy: @@ -11,8 +13,8 @@ jobs: - x86_64-linux-gnu runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - name: Build diff --git a/.github/workflows/amd64_macos_bazel.yml b/.github/workflows/amd64_macos_bazel.yml index 3cabacbd..110b5fb5 100644 --- a/.github/workflows/amd64_macos_bazel.yml +++ b/.github/workflows/amd64_macos_bazel.yml @@ -8,13 +8,15 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. bazel: runs-on: macos-15-intel # Using x86 processors steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bazel run: | brew update diff --git a/.github/workflows/amd64_macos_cmake.yml b/.github/workflows/amd64_macos_cmake.yml index c755392e..229277c9 100644 --- a/.github/workflows/amd64_macos_cmake.yml +++ b/.github/workflows/amd64_macos_cmake.yml @@ -8,6 +8,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. xcode: @@ -15,7 +17,7 @@ jobs: env: CTEST_OUTPUT_ON_FAILURE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Check cmake run: cmake --version - name: Configure @@ -31,7 +33,7 @@ jobs: env: CTEST_OUTPUT_ON_FAILURE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Check cmake run: cmake --version - name: Configure diff --git a/.github/workflows/amd64_macos_zig.yml b/.github/workflows/amd64_macos_zig.yml index 60d5556b..a598c418 100644 --- a/.github/workflows/amd64_macos_zig.yml +++ b/.github/workflows/amd64_macos_zig.yml @@ -2,6 +2,8 @@ name: amd64 MacOS Zig on: [push, pull_request] +permissions: read-all + jobs: run: strategy: @@ -10,8 +12,8 @@ jobs: - x86_64-macos-none runs-on: macos-15-intel # Using x86 processors steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - name: Build diff --git a/.github/workflows/amd64_windows_bazel.yml b/.github/workflows/amd64_windows_bazel.yml index d3d7380c..2d9f81c5 100644 --- a/.github/workflows/amd64_windows_bazel.yml +++ b/.github/workflows/amd64_windows_bazel.yml @@ -8,13 +8,15 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. bazel: runs-on: windows-latest steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bazel run: | choco install bazel diff --git a/.github/workflows/amd64_windows_cmake.yml b/.github/workflows/amd64_windows_cmake.yml index 63d971cd..b4954c91 100644 --- a/.github/workflows/amd64_windows_cmake.yml +++ b/.github/workflows/amd64_windows_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. msvc: @@ -14,7 +16,7 @@ jobs: env: CTEST_OUTPUT_ON_FAILURE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Configure run: cmake -S. -Bbuild -G "Visual Studio 17 2022" -DCMAKE_CONFIGURATION_TYPES=Release - name: Build diff --git a/.github/workflows/amd64_windows_zig.yml b/.github/workflows/amd64_windows_zig.yml index 632458de..1cb069c4 100644 --- a/.github/workflows/amd64_windows_zig.yml +++ b/.github/workflows/amd64_windows_zig.yml @@ -2,6 +2,8 @@ name: amd64 Windows Zig on: [push, pull_request] +permissions: read-all + jobs: run: strategy: @@ -10,8 +12,8 @@ jobs: - x86_64-windows-gnu runs-on: windows-latest steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - name: Build diff --git a/.github/workflows/arm64_macos_bazel.yml b/.github/workflows/arm64_macos_bazel.yml index 7a3e4ed0..99811540 100644 --- a/.github/workflows/arm64_macos_bazel.yml +++ b/.github/workflows/arm64_macos_bazel.yml @@ -8,13 +8,15 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. bazel: runs-on: macos-latest # Using M1 processors, ref: https://github.com/actions/runner-images steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install Bazel run: | brew update diff --git a/.github/workflows/arm64_macos_cmake.yml b/.github/workflows/arm64_macos_cmake.yml index 3537b8c3..395dfd27 100644 --- a/.github/workflows/arm64_macos_cmake.yml +++ b/.github/workflows/arm64_macos_cmake.yml @@ -8,6 +8,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. xcode: @@ -15,7 +17,7 @@ jobs: env: CTEST_OUTPUT_ON_FAILURE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Check cmake run: cmake --version - name: Configure @@ -31,7 +33,7 @@ jobs: env: CTEST_OUTPUT_ON_FAILURE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Check cmake run: cmake --version - name: Configure diff --git a/.github/workflows/arm64_macos_zig.yml b/.github/workflows/arm64_macos_zig.yml index 0b37842c..5a6f4dc8 100644 --- a/.github/workflows/arm64_macos_zig.yml +++ b/.github/workflows/arm64_macos_zig.yml @@ -2,6 +2,8 @@ name: Arm64 MacOS Zig on: [push, pull_request] +permissions: read-all + jobs: run: strategy: @@ -10,8 +12,8 @@ jobs: - aarch64-macos-none runs-on: macos-latest # Using M1 processors steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - name: Build diff --git a/.github/workflows/arm_linux_cmake.yml b/.github/workflows/arm_linux_cmake.yml index 77f3bdb4..a4f92aeb 100644 --- a/.github/workflows/arm_linux_cmake.yml +++ b/.github/workflows/arm_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -21,7 +23,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/clang_format.yml b/.github/workflows/clang_format.yml index 0525c860..a8303903 100644 --- a/.github/workflows/clang_format.yml +++ b/.github/workflows/clang_format.yml @@ -2,12 +2,14 @@ name: clang-format Check on: [push, pull_request] +permissions: read-all + jobs: # Building using the github runner environement directly. clang-format: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Fetch origin/main run: git fetch origin main - name: List of changed file(s) diff --git a/.github/workflows/mips_linux_cmake.yml b/.github/workflows/mips_linux_cmake.yml index 5f755f73..8262c30f 100644 --- a/.github/workflows/mips_linux_cmake.yml +++ b/.github/workflows/mips_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -23,7 +25,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/power_linux_cmake.yml b/.github/workflows/power_linux_cmake.yml index 3baf7641..1535ac29 100644 --- a/.github/workflows/power_linux_cmake.yml +++ b/.github/workflows/power_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -22,7 +24,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/riscv_linux_cmake.yml b/.github/workflows/riscv_linux_cmake.yml index 6282a818..566cc1fc 100644 --- a/.github/workflows/riscv_linux_cmake.yml +++ b/.github/workflows/riscv_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -21,7 +23,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/s390x_linux_cmake.yml b/.github/workflows/s390x_linux_cmake.yml index ec8553e4..ba4a343e 100644 --- a/.github/workflows/s390x_linux_cmake.yml +++ b/.github/workflows/s390x_linux_cmake.yml @@ -7,6 +7,8 @@ on: # min hours day(month) month day(week) - cron: '0 0 7,22 * *' +permissions: read-all + jobs: # Building using the github runner environement directly. make: @@ -20,7 +22,7 @@ jobs: env: TARGET: ${{ matrix.targets[0] }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Build run: make --directory=cmake/ci ${TARGET}_build - name: Test diff --git a/.github/workflows/zig.yml b/.github/workflows/zig.yml index 37b2f8df..c5b68ab0 100644 --- a/.github/workflows/zig.yml +++ b/.github/workflows/zig.yml @@ -2,12 +2,14 @@ name: Zig Check on: [push, pull_request] +permissions: read-all + jobs: zig-fmt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: mlugg/setup-zig@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2 with: version: 0.16.0 - run: zig fmt --check .