Skip to content

build: SHA-pin GitHub Actions for supply-chain security#41

Open
jimisola wants to merge 1 commit intomainfrom
build/pin-github-actions
Open

build: SHA-pin GitHub Actions for supply-chain security#41
jimisola wants to merge 1 commit intomainfrom
build/pin-github-actions

Conversation

@jimisola
Copy link
Member

@jimisola jimisola commented Mar 7, 2026

Summary

Pin GitHub Actions to exact commit SHAs instead of floating branch/tag references:

  • reqstool/.github/...@main → SHA-pinned to current main commit

🤖 Generated with Claude Code

build: SHA-pin GitHub Actions for supply-chain security
0856a47 
Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/check-semantic-pr.yml
jobs:
check:
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 12 hours ago

In general, the fix is to explicitly set GitHub Actions permissions for the GITHUB_TOKEN at the least level required. Since this workflow only triggers on pull request events and delegates its work to a reusable workflow, a safe minimal starting point is to set contents: read at the workflow root level, which restricts the token while still allowing typical read operations needed for checks. If the reusable workflow needs broader permissions, those can be added later; starting with read-only is aligned with the recommendation you provided.

Concretely, in .github/workflows/check-semantic-pr.yml, add a top-level permissions: block between the on: block and the jobs: block. This block will then apply to all jobs that do not specify their own permissions, including jobs.check. No imports or extra definitions are needed, as this is purely a YAML configuration change. The rest of the workflow (the uses: reference to the reusable workflow and triggers) remains unchanged.

Suggested changeset 1
.github/workflows/check-semantic-pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
--- a/.github/workflows/check-semantic-pr.yml
+++ b/.github/workflows/check-semantic-pr.yml
@@ -5,6 +5,9 @@
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07
EOF
@@ -5,6 +5,9 @@
pull_request_target:
types: [opened, edited, synchronize, reopened]

permissions:
contents: read

jobs:
check:
uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimisola