Skip to content

harden: pin actions + scope CI token#17

Merged
askalf merged 1 commit into
masterfrom
harden/pin-actions
Jul 11, 2026
Merged

harden: pin actions + scope CI token#17
askalf merged 1 commit into
masterfrom
harden/pin-actions

Conversation

@askalf

@askalf askalf commented Jul 11, 2026

Copy link
Copy Markdown
Owner

This repo now enforces SHA-pinning for GitHub Actions, so the mutable-tag uses: refs in CI would fail. This hardens .github/workflows/ci.yml:

  • Pins actions/checkout -> 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (v7.0.0) and actions/setup-node -> 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e (v6.4.0), which the mutable tags would fail under SHA-pin enforcement.
  • Adds a read-only permissions: contents: read block so the job runs with least privilege.
  • Sets persist-credentials: false on checkout so the GITHUB_TOKEN is not written into .git/config where npm install / npm test lifecycle scripts could read it.

Trigger branches and the install/test steps are unchanged.

@askalf
askalf merged commit a284a61 into master Jul 11, 2026
1 check passed
@askalf
askalf deleted the harden/pin-actions branch July 11, 2026 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant