From 2826b4a6f0e5c642b186a2332450ec0213760dd7 Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:08:56 +0100 Subject: [PATCH 1/3] ci: disable persist-credentials on actions/checkout Prevents the default GITHUB_TOKEN from being written into the local git config after checkout, where later steps could read or exfiltrate it. This is a routine hardening step following a workflow security audit. --- .github/workflows/assemble.yml | 2 ++ .github/workflows/check.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml index b4f591f5b..8319af630 100644 --- a/.github/workflows/assemble.yml +++ b/.github/workflows/assemble.yml @@ -16,6 +16,8 @@ jobs: id-token: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ably/github-event-context-action@v1 id: context diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index e4d510383..80fbc34dd 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Read Node.js version id: tool-versions From 35e3dca1ec6f34da31ecba70e29c2225a74c15ef Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:09:33 +0100 Subject: [PATCH 2/3] ci: scope GITHUB_TOKEN permissions per workflow and job Add a workflow-level permissions: {} default and grant each job only the GITHUB_TOKEN scopes it actually needs (contents: read for checkout in both workflows, plus deployments: write and id-token: write for the build job's preview upload). Follow-up to a workflow security audit; no functional change to the steps themselves. --- .github/workflows/assemble.yml | 3 +++ .github/workflows/check.yaml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml index 8319af630..45164fa6b 100644 --- a/.github/workflows/assemble.yml +++ b/.github/workflows/assemble.yml @@ -8,10 +8,13 @@ on: tags: - 'v*' +permissions: {} + jobs: build: runs-on: ubuntu-latest permissions: + contents: read deployments: write id-token: write steps: diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 80fbc34dd..11d4fc049 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -6,9 +6,13 @@ on: branches: - main +permissions: {} + jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 with: From d49ba343bc0434c48223bb6af629be8f8692fb93 Mon Sep 17 00:00:00 2001 From: Matt Hammond Date: Wed, 27 May 2026 14:10:17 +0100 Subject: [PATCH 3/3] ci: pin third-party actions to commit SHAs Replace floating major-version tags (e.g. actions/checkout@v4) with the exact commit SHA they currently resolve to, preserving the version as a trailing comment. This is the standard mitigation for the supply-chain risk of upstream tag moves silently changing what runs in CI, and was flagged by a workflow security audit. --- .github/workflows/assemble.yml | 12 ++++++------ .github/workflows/check.yaml | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/assemble.yml b/.github/workflows/assemble.yml index 45164fa6b..e7c9e1156 100644 --- a/.github/workflows/assemble.yml +++ b/.github/workflows/assemble.yml @@ -18,22 +18,22 @@ jobs: deployments: write id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false - - uses: ably/github-event-context-action@v1 + - uses: ably/github-event-context-action@7f2c0aa105a3ee8c531919bdbe98f27c2d261bfe # v1.1.1 id: context - name: Read Node.js version id: tool-versions run: echo "nodejs=$(grep nodejs .tool-versions | awk '{print $2}')" >> $GITHUB_OUTPUT - - uses: peaceiris/actions-hugo@v3 + - uses: peaceiris/actions-hugo@6b1ee2dcc06c9b6629a5317fa0146473914d05e1 # v3 with: hugo-version: 'latest' - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.tool-versions.outputs.nodejs }} @@ -49,14 +49,14 @@ jobs: HUGO_PARAMS_BUILDCONTEXTTITLE: ${{ steps.context.outputs.title }} - if: ${{ github.actor != 'dependabot[bot]' }} - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4 with: aws-region: eu-west-2 role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/ably-sdk-builds-specification role-session-name: "${{ github.run_id }}-${{ github.run_number }}" - if: ${{ github.actor != 'dependabot[bot]' }} - uses: ably/sdk-upload-action@v2 + uses: ably/sdk-upload-action@4e694297f208b72b5a9f6b1248a1556f19f821d6 # v2.2.0 with: sourcePath: build/public githubToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 11d4fc049..1eb0a209d 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -14,7 +14,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false @@ -22,7 +22,7 @@ jobs: id: tool-versions run: echo "nodejs=$(grep nodejs .tool-versions | awk '{print $2}')" >> $GITHUB_OUTPUT - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ steps.tool-versions.outputs.nodejs }}