Skip to content

ci: harden CI/CD pipeline security#58

Open
ryanrishi wants to merge 1 commit into
mainfrom
secure-pipelines
Open

ci: harden CI/CD pipeline security#58
ryanrishi wants to merge 1 commit into
mainfrom
secure-pipelines

Conversation

@ryanrishi
Copy link
Copy Markdown
Contributor

@ryanrishi ryanrishi commented Jun 2, 2026

Summary

  • Pin all GitHub Actions to commit SHAs in CI workflow (prevents tag hijacking attacks)
  • Add top-level permissions: contents: read to CI workflow (least privilege)
  • Add if: github.repository_owner == 'twilio' guard to deploy workflow (prevents fork abuse)
  • Add github-actions ecosystem to dependabot configuration
  • Add --exclude-newer quarantine (2-day) to all uv sync commands in CI (blocks recently-published packages)

Test plan

  • CI passes on this branch
  • Verify dependabot picks up the github-actions ecosystem
  • Confirm --exclude-newer doesn't break installs (lockfile deps are all > 2 days old)

🤖 Generated with Claude Code

@ryanrishi @claude
ci: harden CI/CD pipeline security
d37f37e 
- Pin all GitHub Actions to commit SHAs in CI workflow
- Add top-level permissions: contents: read to CI
- Add repository owner guard to deploy workflow
- Add github-actions ecosystem to dependabot
- Add --exclude-newer quarantine (2-day) to uv sync in CI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 2, 2026 20:20
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s CI/CD posture by tightening GitHub Actions supply-chain security and minimizing default token permissions, while adding a Dependabot configuration to keep pinned actions up to date.

Changes:

  • Pin GitHub Actions in the CI workflow to specific commit SHAs and add top-level least-privilege permissions: contents: read.
  • Add a 2-day package “quarantine” to CI installs by applying uv sync --exclude-newer with a computed cutoff timestamp.
  • Prevent deploy workflow job execution outside the upstream org by guarding jobs with if: github.repository_owner == 'twilio', and enable Dependabot updates for github-actions.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/deploy.yml Adds an org-owner guard to prevent fork-triggered deploy workflow execution.
.github/workflows/ci.yml Pins actions to SHAs, restricts workflow token permissions, and adds uv sync --exclude-newer quarantine behavior.
.github/dependabot.yml Adds github-actions ecosystem updates so pinned SHAs can be maintained automatically.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ryanrouleau ryanrouleau ryanrouleau approved these changes

@xinghaohuang91 xinghaohuang91 xinghaohuang91 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ryanrishi @ryanrouleau @xinghaohuang91