Skip to content

chore(ci): tighten workflow egress and labeling#1072

Merged
komer3 merged 3 commits into
mainfrom
chore/harden-github-actions-security
May 5, 2026
Merged

chore(ci): tighten workflow egress and labeling#1072
komer3 merged 3 commits into
mainfrom
chore/harden-github-actions-security

Conversation

@komer3
Copy link
Copy Markdown
Contributor

@komer3 komer3 commented May 4, 2026

Summary

  • switch the build-push harden-runner policy from audit to block
  • update the PR labeler workflow to use release-drafter's supported autolabeler sub-action

komer3 added 2 commits May 4, 2026 12:12
@komer3
chore(ci): harden GitHub Actions workflows
69d495c 
Move step-security/harden-runner ahead of checkout and other executable steps so outbound network controls are active before third-party actions or checked-out code run. Pair that with persist-credentials=false, narrower permissions, and tighter allowlists to reduce the chance that a compromised dependency or misconfigured workflow can reuse the job token or exfiltrate data.

Pin all external GitHub Actions to full SHAs and update them to current stable releases so workflow execution is tied to reviewed commits instead of mutable tags, while Renovate keeps future action updates digest-pinned automatically.

This also keeps maintainer-approved fork PR test paths intact, removes endpoints that are not used by the jobs that declared them, removes the gh-pages container that bypassed Harden Runner before the first step, and leaves the remaining high-variance jobs in audit mode until observed egress can be converted into minimal block-mode allowlists.
@komer3
chore(ci): tighten workflow egress and labeling
8e31e3a
@codecov
Copy link
Copy Markdown

codecov Bot commented May 4, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.15%. Comparing base (c322416) to head (e81ae41).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1072   +/-   ##
=======================================
  Coverage   69.15%   69.15%           
=======================================
  Files          71       71           
  Lines        6543     6543           
=======================================
  Hits         4525     4525           
  Misses       1724     1724           
  Partials      294      294

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@komer3 komer3 merged commit 05c7417 into main May 5, 2026
15 of 16 checks passed
@komer3 komer3 deleted the chore/harden-github-actions-security branch May 5, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moshevayner moshevayner moshevayner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@komer3 @moshevayner