chore(ci): pin actions to SHAs and restrict default workflow permissions#994
Merged
kylemcd merged 1 commit intoMay 12, 2026
Conversation
…ssions Defense-in-depth hardening for the GitHub Actions setup, prompted by review of the TanStack npm supply-chain compromise postmortem (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem). The repo is not vulnerable to the specific TanStack chain — we use neither pull_request_target nor OIDC trusted publishing — but two residual gaps were closed: 1. Pin every `uses:` reference to a commit SHA (with version comment). Tag-pinning means an action publisher compromise executes attacker code with whatever permissions the surrounding job has, including release.yml where NPM_TOKEN is live. 2. Add `permissions: contents: read` at the workflow level for the PR-triggered workflows (cicd, expo, integration) so GITHUB_TOKEN defaults to read-only. release.yml is left as-is because changesets/action needs write access and the workflow only runs on push to protected branches. dependabot-changeset.yml already has its own explicit permissions block. Refs KNO-13133. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d281b37. Configure here.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #994 +/- ##
==========================================
+ Coverage 63.38% 63.55% +0.17%
==========================================
Files 208 208
Lines 9957 9924 -33
Branches 1280 1280
==========================================
- Hits 6311 6307 -4
+ Misses 3625 3592 -33
- Partials 21 25 +4 |
kylemcd
added a commit
to knocklabs/telegraph
that referenced
this pull request
May 12, 2026
Mirror the defense-in-depth pattern from knocklabs/javascript#994. Locks the default GITHUB_TOKEN to read-only on every PR-triggered workflow so any step that needs write access must opt in explicitly. Skipped: - commitlint-pr.yml — already has explicit pull-requests:read - dependabot-changeset.yml — already has its own explicit block - release.yml — already added contents:read in prior commit Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kylemcd
added a commit
to knocklabs/telegraph
that referenced
this pull request
May 12, 2026
Match the parity of knocklabs/javascript#994 — pin actions/checkout, actions/setup-node, and actions/cache to specific commit SHAs with version-tag comments. Same SHAs as the sister PR for the two it covered. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
meryldakin
approved these changes
May 12, 2026
kylemcd
requested review from
a team,
andy-knock and
connorlindsey
and removed request for
a team
connorlindsey
approved these changes
May 12, 2026
3 tasks
kylemcd
deleted the
kyle-kno-13133-harden-github-actions-against-supply-chain-attacks-tanstack
branch
kylemcd
added a commit
to knocklabs/telegraph
that referenced
this pull request
May 12, 2026
* chore(ci): harden GitHub Actions against supply-chain attacks Adjacent hygiene from TanStack npm compromise audit (KNO-13134): - Pin third-party actions to commit SHAs (changesets/action, peter-evans/find-comment, peter-evans/create-or-update-comment, amannn/action-semantic-pull-request) - Add explicit minimal permissions block to release.yml - Drop unused pull_request_target trigger from commitlint-pr.yml - Bump stale actions/checkout@v3 and actions/cache@v3 to v4 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(ci): default PR-triggered workflows to contents:read Mirror the defense-in-depth pattern from knocklabs/javascript#994. Locks the default GITHUB_TOKEN to read-only on every PR-triggered workflow so any step that needs write access must opt in explicitly. Skipped: - commitlint-pr.yml — already has explicit pull-requests:read - dependabot-changeset.yml — already has its own explicit block - release.yml — already added contents:read in prior commit Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(ci): pin first-party actions to commit SHAs Match the parity of knocklabs/javascript#994 — pin actions/checkout, actions/setup-node, and actions/cache to specific commit SHAs with version-tag comments. Same SHAs as the sister PR for the two it covered. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(repo): bump node engines 22.x → 24.x Node 24 ships npm 11.x, which natively supports trusted publishing via OIDC — prerequisite for KNO-13135. Workflows already read node-version-file: "package.json", so this single change propagates to all CI jobs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Defense-in-depth hardening for the GitHub Actions setup, prompted by a review of the TanStack npm supply-chain compromise postmortem. Closes KNO-13133.
The repo is not vulnerable to the specific TanStack chain — we use neither
pull_request_targetnor OIDC trusted publishing, andNPM_TOKENis only referenced inrelease.ymlwhich runs onpushto protected branches. This PR closes the two residual gaps the review surfaced.1. Pin every
uses:reference to a commit SHA (with version comment).Tag-pinning means an action publisher compromise would execute attacker code with whatever permissions the surrounding job has — including
release.ymlwhereNPM_TOKENis live. SHA pinning is the GitHub-recommended standard.actions/checkout34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node49933ea5288caeca8642d1e84afbd3f7d6820020codecov/codecov-action75cd11691c0faa626561e295848008c8a7dddffecodecov/test-results-action0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3expo/expo-github-actionc7b66a9c327a43a8fa7c0158e7f30d6040d2481echangesets/action63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b2. Add
permissions: contents: readat workflow level on the PR-triggered workflows (cicd.yml,expo.yml,integration.yml) soGITHUB_TOKENdefaults to read-only. Any job that needs more must opt in explicitly.Skipped:
dependabot-changeset.yml— already has its own explicitpermissions:blockrelease.yml— needs write access forchangesets/action; runs only on push to protected branchesChecklist
yarn format:check)🤖 Generated with Claude Code