Skip to content

build: SHA-pin GitHub Actions for supply-chain security#151

Open
jimisola wants to merge 1 commit intomainfrom
build/pin-github-actions
Open

build: SHA-pin GitHub Actions for supply-chain security#151
jimisola wants to merge 1 commit intomainfrom
build/pin-github-actions

Conversation

@jimisola
Copy link
Member

@jimisola jimisola commented Mar 7, 2026

Summary

Pin GitHub Actions to exact commit SHAs instead of floating branch/tag references:

  • reqstool/.github/...@main → SHA-pinned to current main commit

🤖 Generated with Claude Code

build: SHA-pin GitHub Actions for supply-chain security
2c2e6fe 
Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/check-semantic-pr.yml
jobs:
check:
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 days ago

To fix the problem, add an explicit permissions block that grants only the minimal privileges needed for this workflow. Since this workflow only delegates to a reusable workflow that checks PR titles (a read-only operation in most setups), the conservative and generally correct choice is to set contents: read at the workflow root so it applies to all jobs, including the check job. This follows GitHub’s recommendation for least-privilege defaults and satisfies CodeQL’s requirement that permissions be explicit.

Concretely, in .github/workflows/check-semantic-pr.yml, insert a permissions: section after the on: block (for example after line 6–7) with contents: read. This will ensure GITHUB_TOKEN is limited to read-only access to repository contents for this workflow. No imports or additional methods are required, as this is purely a YAML configuration change. Existing functionality (reusing the external workflow) will continue to work, as such semantic checks typically do not need write permissions.

Suggested changeset 1
.github/workflows/check-semantic-pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -5,6 +5,9 @@
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07
EOF
@@ -5,6 +5,9 @@
pull_request_target:
types: [opened, edited, synchronize, reopened]

permissions:
contents: read

jobs:
check:
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimisola