Harden CI/CD workflows with pinned action versions and security#656
Draft
OskarDamkjaer wants to merge 1 commit intomainfrom
Draft
Harden CI/CD workflows with pinned action versions and security#656OskarDamkjaer wants to merge 1 commit intomainfrom
OskarDamkjaer wants to merge 1 commit intomainfrom
Conversation
…rrency - Pin all third-party actions to full commit SHAs to prevent supply chain attacks - Add timeout-minutes: 30 to all jobs to prevent runaway runners - Add explicit least-privilege permissions to all workflows missing them - Standardize NODE_OPTIONS to --max_old_space_size=8192 across all workflows - Add concurrency groups to benchmark, pre-release, publish-vscode, and formatting-integrity-check - Only publish to npm when CI workflow succeeds (check workflow_run conclusion) - Remove stale TODO comment in publish-vscode-extension.yaml https://claude.ai/code/session_01RFj4gacppD2MFE6zEY9Lpe
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All changes committed and pushed. Here's the motivation for each change:
Change Motivation & Sources
1. Pin all actions to full commit SHAs
Why: In March 2025, the
tj-actions/changed-filesaction (used in 23,000+ repos) was compromised when attackers stole a PAT and rewrote mutable version tags to inject malicious code that dumped CI secrets to public logs. Mutable tags (@v4) can be silently rewritten at any time — pinning to a commit SHA makes this impossible.Sources:
2. Add
timeout-minutes: 30to all jobsWhy: The default timeout is 360 minutes (6 hours). A stuck process — a hanging test, a deadlocked build, or a network issue — will silently consume your entire runner allocation. Explicit timeouts ensure fast failure and prevent billing surprises.
Sources:
jobs.<job_id>.timeout-minutes3. Add explicit
permissionsto all workflowsWhy: Without explicit permissions,
GITHUB_TOKENinherits the repository's default permissions (typicallywritefor most scopes). This violates the principle of least privilege — if a workflow is compromised, the attacker gets broader access than necessary. Settingpermissions: contents: readat the workflow level and elevating per-job narrows the blast radius.Sources:
4. Standardize
NODE_OPTIONSto--max_old_space_size=8192Why: The value was inconsistent:
setup-and-buildused4096,ci.yamlused8192,deploy-demo.ymlused4096. This causes unpredictable OOM failures depending on which workflow runs and whether the build step'sNODE_OPTIONSor the workflow-level one takes effect. Standardizing to8192across all workflows eliminates this inconsistency.Sources:
--max-old-space-size5. Add concurrency groups to remaining workflows
Why: Without concurrency controls, multiple runs of the same workflow can execute simultaneously — wasting resources (benchmark, formatting check) or causing race conditions (publish workflows pushing versions concurrently). For publish workflows,
cancel-in-progress: falseensures a running publish completes rather than being cancelled mid-release.Added to:
benchmark.yaml,pre-release-vscode-extension.yaml,publish-vscode-extension.yaml,formatting-integrity-check.yamlSources:
6. Check CI conclusion before npm publish
Why:
publish-npm-packages.yamltriggers onworkflow_run: completed, butcompletedfires regardless of whether CI passed or failed. Withoutif: github.event.workflow_run.conclusion == 'success', a failed CI run could still trigger a publish attempt. Added the condition to both the stable and canary release jobs.Sources:
workflow_runevent