Harden GitHub Actions against supply-chain attacks#177
Merged
Conversation
- Pin all actions to full commit SHAs (mutable tags like @v6/@v1 can be repointed at malicious code, as in the tj-actions/changed-files CVE). changesets/action@v1 was a branch ref, not even a tag. - bun install: add --frozen-lockfile everywhere; --ignore-scripts in the privileged release job so dependency lifecycle scripts (the Shai-Hulud propagation vector) can't run alongside id-token:write. - snapshot.yml: gate the /snapshot comment trigger on author_association (OWNER/MEMBER/COLLABORATOR) + startsWith, so it isn't triggerable by arbitrary users. - Trim permissions: drop unused issues:write from publish.yml; replace dead top-level pull-requests:write in linters.yml with contents:read.
Replaces the third-party checks-action (only used to post a friendly "files aren't formatted" message) with a native $GITHUB_STEP_SUMMARY write. No third-party dependency, no GITHUB_TOKEN, and lets us drop the checks:write permission from the lint job. The job still fails via the existing git diff --exit-code step.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hardens our CI against the supply-chain attack patterns going around (Shai-Hulud worm, the
tj-actions/changed-filestoken theft, and thepull_request_target+ malicious.claude/settings.jsonhook that hitaidenybai/millionand TanStack).Audit results
pull_request_targetanywhere (the vector that hit Million/TanStack).claude/ editor hook;.vscode/settings.jsononly sets the Prettier formatter.npmrc/ npm token — we publish via OIDC provenance (id-token: write+NPM_CONFIG_PROVENANCE), so the "npm invalidated all tokens" event doesn't affect usChanges
@v6are mutable and can be repointed at malicious code —changesets/action@v1was actually a branch ref, running in our publish job withid-token: write.bun install—--frozen-lockfileeverywhere (install exactly the reviewed lockfile), plus--ignore-scriptsin the privileged release job so dependency lifecycle scripts (the Shai-Hulud propagation vector) can't run next to publish credentials./snapshottrigger insnapshot.ymlonauthor_association(OWNER/MEMBER/COLLABORATOR) +startsWith, so it's no longer triggerable by arbitrary commenters.issues: writefrompublish.yml; replace the dead top-levelpull-requests: writeinlinters.ymlwithcontents: read.LouisBrunner/checks-actionin favor of a native$GITHUB_STEP_SUMMARYwrite — no third-party dep, no token, and dropschecks: writefrom the lint job.🤖 Generated with Claude Code