Skip to content

ci: GHA workflow security cleanup#2

Merged
emptyhammond merged 4 commits into
mainfrom
worktree-fixup-workflows
May 28, 2026
Merged

ci: GHA workflow security cleanup#2
emptyhammond merged 4 commits into
mainfrom
worktree-fixup-workflows

Conversation

@emptyhammond
Copy link
Copy Markdown
Contributor

@emptyhammond emptyhammond commented May 27, 2026

Routine hygiene pass over the GitHub Actions workflows in this repo, addressing findings from a workflow security audit. Changes are split into four commits, one per finding type:

  • Disable credential persistence on actions/checkout steps so the default GITHUB_TOKEN is not left in the local git config after checkout.
  • Scope each job's permissions explicitly: top-level permissions: {}, with each job granted only the GITHUB_TOKEN scopes it actually needs (contents: read for CI, contents: write for
    the release job that publishes assets).
  • Disable the actions/setup-go module cache in the release workflow so a poisoned cache from an earlier run can't influence what gets shipped on a tag push. CI test runs keep caching.
  • Pin all third-party actions to commit SHAs (with the tag preserved as a comment) so an upstream tag move can't silently change what runs in CI.

No behavioural changes intended — the workflows run the same checks against the same inputs.

@emptyhammond
ci: disable credential persistence on checkout
0f98a4d 
Set persist-credentials: false on actions/checkout so the default
GITHUB_TOKEN is not left in the local git config after checkout.
@emptyhammond
ci: scope GITHUB_TOKEN permissions per job
a105db7 
Default both workflows to 'permissions: {}' and grant each job only
the GITHUB_TOKEN scopes it actually needs (contents: read for CI,
contents: write for the release job that publishes assets).
@emptyhammond
ci: disable setup-go cache on release runs
45334b3 
Release jobs publish artifacts and run on tag pushes, so a poisoned
Go module cache restored from an earlier run could influence what
gets shipped. Disable caching on actions/setup-go in the release
workflow; CI test runs keep caching enabled.
@emptyhammond
ci: pin third-party actions to commit SHAs
4d75f4e 
Pin actions/checkout, actions/setup-go, and goreleaser-action to
the commit SHA their current major-version tag points to, with the
tag preserved as a comment. Prevents an upstream tag move from
silently changing what runs in CI.
@emptyhammond emptyhammond requested a review from paddybyers May 27, 2026 14:53
@emptyhammond emptyhammond merged commit a8f1c5c into main May 28, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paddybyers paddybyers Awaiting requested review from paddybyers

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@emptyhammond