Skip to content

github-workflows: Security hardening#143

Merged
ganto merged 7 commits into
mainfrom
feature/workflow-hardening
Jul 3, 2026
Merged

github-workflows: Security hardening#143
ganto merged 7 commits into
mainfrom
feature/workflow-hardening

Conversation

@ganto

@ganto ganto commented Jul 3, 2026

Copy link
Copy Markdown
Owner

No description provided.

dependabot Bot and others added 6 commits July 3, 2026 11:30
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 9.2.1 to 9.3.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v9.2.1...v9.3.0)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [ko-build/setup-ko](https://github.com/ko-build/setup-ko) from 0.9 to 0.10.
- [Release notes](https://github.com/ko-build/setup-ko/releases)
- [Commits](ko-build/setup-ko@v0.9...v0.10)

---
updated-dependencies:
- dependency-name: ko-build/setup-ko
  dependency-version: '0.10'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Pass github.repository and PR head SHA through env vars instead of
direct template interpolation into the shell command.
Deny all permissions at the workflow level and grant each job only what
it needs:

- ci: contents:read per job; checks:write for the actionlint job so the
  reviewdog github-pr-check reporter can create check runs (the previous
  pull-requests:read grant didn't serve it)
- e2e: statuses:write only for the status-reporting jobs; the job running
  checked-out test code keeps just contents:read (pull_request_target)
- publish/release: deny at workflow level, existing job grants unchanged
@ganto ganto added the github_actions Pull requests that update GitHub Actions code label Jul 3, 2026
Explain why e2e only runs via manual dispatch gated by commit status,
and why the pull_request_target status-setting job must never execute
PR code, so future changes don't "fix" this into an unsafe auto-run.
@ganto ganto merged commit 34ecd96 into main Jul 3, 2026
22 checks passed
@ganto ganto deleted the feature/workflow-hardening branch July 3, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant