Skip to content

ci: harden CI workflows with environment-based protection#476

Merged
carlosmmatos merged 3 commits intomainfrom
ci/harden-workflows
Feb 3, 2026
Merged

ci: harden CI workflows with environment-based protection#476
carlosmmatos merged 3 commits intomainfrom
ci/harden-workflows

Conversation

@carlosmmatos
Copy link
Contributor

@carlosmmatos carlosmmatos commented Jan 30, 2026
edited
Loading

Summary

This PR hardens CI workflows against supply chain attacks by replacing pull_request_target with environment-based secret gating.

Security Improvements

  • Eliminated pull_request_target attack surface - Removed from 10 workflows that were vulnerable to malicious fork PRs
  • Environment-based secret gating - PRs require approval before accessing secrets
  • Explicit SHA passing - Prevents confused deputy attacks by passing github.event.pull_request.head.sha explicitly
  • SHA-pinned actions - All third-party actions pinned to full SHA with version comments
  • Centralized audit surface - Security logic consolidated into 3 reusable workflows

This ensures:

  • Fork PRs cannot exfiltrate secrets - Malicious code in a PR cannot access FALCON_CLIENT_ID etc. without maintainer approval
  • Trusted contexts remain efficient - Push to main and scheduled runs don't require manual intervention

Files Changed

New Reusable Workflows

  • .github/workflows/reusable-molecule-test-linux.yml - Linux molecule testing
  • .github/workflows/reusable-molecule-test-windows.yml - Windows molecule testing
  • .github/workflows/reusable-container-sensor-pull.yml - Container sensor pull

Modified Caller Workflows (10 total)

  • bash_install.yml, bash_install_decrement.yml, bash_install_only.yml, bash_install_policy.yml, bash_migrate.yml
  • pwsh_install_ccid.yml, pwsh_install_policy.yml, pwsh_migrate.yml, pwsh_uninstall.yml
  • container_sensor_pull.yml

Other Hardening

  • SHA-pinned actions in docs.yml, psscriptanalyzer.yml, release.yml, shell_format.yml, shellcheck.yml, stale.yml

@carlosmmatos
ci: initial hardening steps
9ae4f25
@carlosmmatos
ci: replace pull_request_target with environment-based protection
543db18 
- Convert 10 workflows from pull_request_target to pull_request trigger
- Create 3 reusable workflows with centralized test logic:
  - reusable-molecule-test-linux.yml
  - reusable-molecule-test-windows.yml
  - reusable-container-sensor-pull.yml
- Add environment protection (molecule-testing) for PR secret access
- Update actions/checkout to v5.0.1 (SHA pinned)
- Fix psscriptanalyzer action pinning from main to v1.1
- Add CODEOWNERS file with falcon-scripts-cs-maintainers

Security improvements:
- Eliminates pull_request_target risks from fork PRs
- Environment approval gates secret access for external contributors
- All actions properly SHA-pinned with version comments
- PR SHA passed explicitly to prevent confusion attacks
@carlosmmatos
lint: fix shellcheck findings
d4928fc
@carlosmmatos carlosmmatos merged commit 934f207 into main Feb 3, 2026
9 checks passed
@carlosmmatos carlosmmatos deleted the ci/harden-workflows branch February 3, 2026 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qduong-cs qduong-cs qduong-cs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlosmmatos @qduong-cs