Skip to content

CI: Harden GHA configuration #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tacaswell wants to merge 3 commits into
base: humble
Choose a base branch
from
Open

CI: Harden GHA configuration #62

tacaswell wants to merge 3 commits into from

Conversation

@tacaswell
Copy link

@tacaswell tacaswell commented Jul 9, 2025
edited
Loading

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions to read-only

tacaswell added 3 commits July 8, 2025 19:08
@tacaswell
CI: harden GHA configuration
8269552 
This adjusts the defaults per suggestions of zizmor to
reduce possible risks from giving GHA tasks more permissions
that required.
@tacaswell
CI: pin actions by SHA
0e1f13c 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: Restrict default permissions
19f8c18 
Reduces risk of arbitrary code is run by attacker.
@tacaswell tacaswell changed the title "CI: Harden GHA configuration" CI: Harden GHA configuration Jul 9, 2025
@maffettone
Copy link
Collaborator

maffettone commented Jul 9, 2025
edited
Loading

The super linter now fails to locate files in the .github/actions/* directories. These are subscripts used for tests and cpp lint. Is this due to the permissions change? I don't see why it would be, but am confused by the error message.

  Error: -09 13:39:51 [ERROR]   Found errors when linting GITHUB_ACTIONS. Exit code: 1.
  2025-07-09 13:39:51 [INFO]   Command output for GITHUB_ACTIONS:
  ------
  .github/workflows/ros.yaml:22:15: file ".github/actions/test/run.sh" does not exist in "/github/workspace/.github/actions/test". it is specified at "entrypoint" key in "runs" section in "Test" action [action]
     |
  22 |         uses: ./.github/actions/test/
     |               ^~~~~~~~~~~~~~~~~~~~~~~
  .github/workflows/ros.yaml:37:15: file ".github/actions/lint/run.sh" does not exist in "/github/workspace/.github/actions/lint". it is specified at "entrypoint" key in "runs" section in "Lint" action [action]
     |
  37 |         uses: ./.github/actions/lint/
     |               ^~~~~~~~~~~~~~~~~~~~~~~
  ------

@tacaswell
Copy link
Author

tacaswell commented Jul 9, 2025

One thing that is happening is that superlinter only runs on files that are touched so if you have not been touching the GHA files, they have not been being linted.

My read on this is that the linter and GHA are disagreeing about the root to resolve relative paths at is at looks like the task is is indeed running, but I think the linter is complaining that /github/workspace/.github/actions/lint/.github/actions/lint/run.sh does not exist.

@maffettone maffettone mentioned this pull request Jul 9, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tacaswell @maffettone