[SECURITY] Harden GitHub workflows#346
Conversation
Signed-off-by: John McCall <john@overturemaps.org>
Update CI/CD workflows to pin actions to specific commit SHAs and tighten behavior. Added concurrency groups to avoid overlapping runs, adjusted permissions (including id-token for OIDC, pages, and super-linter-specific rights), and moved some job-level permissions into the jobs that need them. Replaced direct uses of expressions in shell strings with explicit env variables (e.g. PR_HEAD_SHA, GITHUB_EVENT_NUMBER) to avoid quoting issues, and updated several action references (checkout, setup-node, configure-pages, upload/download artifacts, deploy-pages, aws credentials, super-linter, etc.) to stable SHAs for reproducibility and security. Signed-off-by: John McCall <john@overturemaps.org>
John McCall (lowlydba)
temporarily deployed
to
staging
GitHub Actions
Inactive
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
🗺️ OMF Docs previews are live!
Auto-gen schema site is now available. This is an early preview of a future workflow where we will automatically generate and publish reference docs for the Overture Maps Format schema with every change to the schema repo. Note ♻️ This preview updates automatically with each push to this PR. |
John McCall (lowlydba)
requested review from
Copilot and
Eric Godwin (ericgodwin)
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions and automation config in response to zizmor findings, primarily by pinning action dependencies, reducing token permissions, and adding concurrency controls to reduce workflow attack surface and improve safety.
Changes:
- Pin GitHub Actions to full commit SHAs and disable credential persistence where applicable.
- Scope
GITHUB_TOKENpermissions to the minimum required per workflow/job and add concurrency groups to avoid overlapping runs. - Update Dependabot configuration to include a cooldown period for update PRs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/staging_deploy.yaml |
Pins actions, scopes permissions to the deploy job, and refactors runtime interpolation in shell steps. |
.github/workflows/staging_deploy_cleanup.yaml |
Adds concurrency and pins AWS auth action; refactors shell interpolation to use env vars. |
.github/workflows/production_deploy_documentation.yml |
Adds concurrency, pins actions, and scopes Pages/OIDC permissions to the deploy job. |
.github/workflows/lint.yml |
Adds concurrency, pins actions, scopes permissions to the linter job, and disables credential persistence on checkout. |
.github/dependabot.yml |
Adds a cooldown configuration to reduce update PR churn. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
John McCall (lowlydba)
temporarily deployed
to
staging
GitHub Actions
Inactive
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
Alex Iannicelli (atiannicelli)
left a comment
Alex Iannicelli (atiannicelli)
left a comment
There was a problem hiding this comment.
Looks good to me after you resolve all the issues flagged
Update action references across CI workflows to newer patch releases for stability and bug fixes: actions/checkout -> v6.0.2, actions/setup-node -> v6.3.0, aws-actions/configure-aws-credentials -> v6.1.0, and actions/download-artifact -> v8.0.1. Changes touch .github/workflows/lint.yml, production_deploy_documentation.yml, staging_deploy.yaml, and staging_deploy_cleanup.yaml. Signed-off-by: John McCall <john@overturemaps.org>
Signed-off-by: John McCall <john@overturemaps.org>
…ttps://github.com/OvertureMaps/docs into 306-devops-create-omf-ruleset-for-all-public-repos Signed-off-by: John McCall <john@overturemaps.org>
John McCall (lowlydba)
temporarily deployed
to
staging
GitHub Actions
Inactive
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
Signed-off-by: John McCall <john@overturemaps.org>
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
John McCall (lowlydba)
deleted the
306-devops-create-omf-ruleset-for-all-public-repos
branch
Resolves 40+ findings from zizmor as workflow security concerns.
After this, the
OMF Security Checksrequired workflow will be enabled to keep a secure baseline (the check is available already on this PR, see below)