Skip to content

Harden actions fork guard#271

Merged
moodyjmz merged 1 commit into
mainfrom
ci/harden-actions-fork-guard
Jul 6, 2026
Merged

Harden actions fork guard#271
moodyjmz merged 1 commit into
mainfrom
ci/harden-actions-fork-guard

Conversation

@MonaAghili

Copy link
Copy Markdown
Contributor

Close #266

Summary

  • Block fork pull requests from reaching the self-hosted e2e runner in build.yml, instead of
    relying on an incidental clone-token failure as the only backstop
  • Pin 4 floating action references (action-gh-release, docker/login-action, actions/setup-node,
    actions/upload-artifact) to exact commit SHAs so a compromised upstream tag can't silently change
    what code runs in this pipeline
  • Drop persist-credentials: false on the e2e job's checkout — no step in that job needs to push
    back to the repo, so there's no reason to leave the token on disk
  • Add zizmor as a dedicated GitHub Actions security linter, running on any push/PR that touches
    .github/workflows/** and uploading results to the repo's Security tab

Why

Reviewing this repo's CI/CD setup surfaced a few gaps worth closing regardless of any specific
incident: the self-hosted e2e job was only incidentally unreachable from fork PRs, four actions were
pinned to mutable tags rather than fixed commits, and there was no automated security linting on
workflow changes going forward. This closes those gaps and documents what's left.

Test plan

  • actionlint .github/workflows/build.yml — no new errors
  • Confirm a same-repo PR still triggers the e2e job (self-hosted) as before
  • Confirm a fork PR's e2e job shows as skipped, not action_required-gated
  • Confirm the new zizmor workflow runs successfully on this PR and reports results (check the
    Actions tab / Security tab for this run)
  • Confirm build.yml's existing behavior (Docker build/push, release upload, Playwright report
    upload) is unaffected — no functional changes, only pin format and added guard conditions

@MonaAghili MonaAghili requested a review from moodyjmz July 3, 2026 12:41
@MonaAghili MonaAghili requested a review from a team as a code owner July 3, 2026 12:41
@MonaAghili MonaAghili requested review from juliusknorr and removed request for a team July 3, 2026 12:41
@MonaAghili MonaAghili force-pushed the ci/harden-actions-fork-guard branch from 9ae965e to e7ee6db Compare July 3, 2026 12:47
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/build.yml Dismissed
Comment thread .github/workflows/build.yml Dismissed
@MonaAghili MonaAghili force-pushed the ci/harden-actions-fork-guard branch from e7ee6db to 2de91ae Compare July 3, 2026 12:50
@moodyjmz

moodyjmz commented Jul 3, 2026

Copy link
Copy Markdown
Member

Scope heads-up: after the rebase this PR is 8 files, but 6 of them (+539 of 580 added lines, ~93%) come from commit 5906f7e "feat: add front hot-reload development mode"develop/Makefile, develop/setup/ds-docservice-dev.conf, and develop/setup/livereload-tools/. That is unrelated to the CI fork-guard / action-pinning work in the title.

The actual hardening change is just build.yml + zizmor.yml (41 lines). Could 5906f7e be split into its own PR? The CI change is a tight security fix and would be much easier to review and land on its own.

Signed-off-by: Mona LatifAghili <mlatifaghili@arsys.es>
@MonaAghili MonaAghili force-pushed the ci/harden-actions-fork-guard branch from 2de91ae to b755528 Compare July 3, 2026 12:54
@moodyjmz moodyjmz merged commit 0b58db7 into main Jul 6, 2026
10 checks passed
@moodyjmz moodyjmz deleted the ci/harden-actions-fork-guard branch July 6, 2026 18:40
@github-project-automation github-project-automation Bot moved this from 📄 To do to ☑️ Done in 📄 Euro-Office team Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: ☑️ Done

Development

Successfully merging this pull request may close these issues.

Harden GitHub Actions CI configuration

3 participants