fix(ci): harden publish-docs workflow security and update actions#20
fix(ci): harden publish-docs workflow security and update actions#20jmeridth wants to merge 5 commits into
Conversation
What/Why Reduce blast radius of a compromised action by moving permissions to job level with least-privilege grants, disabling credential persistence on checkout, and pinning all actions to SHA at their latest versions. Proof it works actionlint passes clean. Workflow is push-to-main only so will be validated on merge. Risk + AI role Low -- workflow-only change, no application code affected. All changes AI-generated (Claude Opus 4.6, claude-opus-4-6), human-reviewed. Review focus Verify the major version bumps (checkout v4->v6, setup-uv v5->v8, configure-pages v5->v6, upload-pages-artifact v3->v5, deploy-pages v4->v5) don't introduce breaking changes for this usage. Signed-off-by: jmeridth <jmeridth@gmail.com>
|
This looks like a good hardening practice, thank you. Can you test it end-to-end against your fork to ensure the changes actually work? Mention you've done that in this PR and we'll be happy to approve it. |
What/Why Reduce blast radius of a compromised action by moving permissions to job level with least-privilege grants, disabling credential persistence on checkout, and pinning all actions to SHA at their latest versions. Proof it works actionlint passes clean. Workflow is push-to-main only so will be validated on merge. Risk + AI role Low -- workflow-only change, no application code affected. All changes AI-generated (Claude Opus 4.6, claude-opus-4-6), human-reviewed. Review focus Verify the major version bumps (checkout v4->v6, setup-uv v5->v8, configure-pages v5->v6, upload-pages-artifact v3->v5, deploy-pages v4->v5) don't introduce breaking changes for this usage. Signed-off-by: jmeridth <jmeridth@gmail.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>
@duncangrist As noted above, this change only works after merge to main (A GitHub Actions "feature"). Still able to test in my fork as requested. I cherry-picked the commit to my fork's main branch and manually ran the workflow here. It succeeded. Had to manually run because it was the first time on the main branch. I updated docs/README.md file and pushed to main to ensure the workflow triggered automatically when push to main in docs folder occurs. Succeeded also. Screenshot from first run and deploy
Screenshot with my test content change - run and deploy
|
duncangrist
left a comment
duncangrist
left a comment
There was a problem hiding this comment.
These changes are approved, but you won't be able to merge yourself. We're not ready with the contributor merge workflow just yet, but once we are we'll get this one integrated.
Thanks again.
Keep SHA-pinned actions/deploy-pages@v5.0.0 over upstream's unpinned v4 tag reference -- newer version and pinned to SHA for security. Signed-off-by: jmeridth <jmeridth@gmail.com>
2 participants
Similar to #7 but use full SHAs for actions
What/Why
Reduce blast radius of a compromised action by moving permissions to job level with least-privilege grants, disabling credential persistence on checkout, and pinning all actions to SHA at their latest versions.
Proof it works
actionlint passes clean. Workflow is push-to-main only so will be validated on merge.
Risk + AI role
Low -- workflow-only change, no application code affected. AI-assisted (Claude Opus 4.6).
Review focus
Verify the major version bumps (checkout v4->v6, setup-uv v5->v8, configure-pages v5->v6, upload-pages-artifact v3->v5, deploy-pages v4->v5) don't introduce breaking changes for this usage.