fix(ci): harden workflow security across deploy and release pipelines#1345
Merged
fix(ci): harden workflow security across deploy and release pipelines#1345
Conversation
- Remove GCP_SA_KEY from GITHUB_ENV in deploy-live and deploy-preview; google-github-actions/auth already exports GOOGLE_APPLICATION_CREDENTIALS via ADC, so the explicit credential export step was unnecessary and exposed the SA JSON in plaintext to all subsequent steps - Add --ignore-scripts to yarn install in deploy-preview build job to prevent postinstall lifecycle hooks from executing untrusted PR code - Delete combine-dependabot-prs.yml: workflow was non-functional due to JS syntax errors and depended on an archived third-party action - Add explicit permissions: contents: read to deploy-live build job - Replace hardcoded personal git identity in canary-release with github-actions[bot] identity Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Size Change: 0 B Total Size: 2.2 MB ℹ️ View Unchanged
|
|
Visit the preview URL for this PR (updated for commit 868d7d9): https://docusaurus-openapi-36b86--pr1345-mczww90l.web.app (expires Sat, 25 Apr 2026 19:08:34 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: bf293780ee827f578864d92193b8c2866acd459f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening for CI/CD workflows based on security triage findings.
GCP_SA_KEYexport toGITHUB_ENVindeploy-live.ymlanddeploy-preview.yml. Thegoogle-github-actions/authaction already exportsGOOGLE_APPLICATION_CREDENTIALSvia Application Default Credentials (ADC) — the explicitecho "GCP_SA_KEY=$(cat ...)" >> $GITHUB_ENVstep was redundant and exposed the full service account JSON in plaintext to every subsequent step and action in the job.--ignore-scriptstoyarn --prefer-offlinein thedeploy-preview.ymlbuild job. The build job checks out PR head code (untrusted) after an environment gate approval, then runsyarn install. Without--ignore-scripts, a maliciouspostinstallhook in a PR'spackage.jsonwould execute in the runner. This flag prevents lifecycle scripts from running during install without breaking the build.combine-dependabot-prs.yml. The workflow was non-functional: it contained JavaScript syntax errors (unmatched braces, single-quoted template literals that didn't expand), used an archived third-party action (machine-learning-apps/actions-app-token) with no security update path, and used stale v3 action versions. Removing it eliminates the archived action supply chain risk.permissions: contents: readto thebuildjob indeploy-live.yml, making the permission scope explicit rather than defaulting to repository settings.Steven Serrata / sserrata@paloaltonetworks.com) incanary-release.ymlwith the standardgithub-actions[bot]identity.Test plan
deploy-previewworkflow triggers on a test PR and Firebase preview deploys successfully withoutfirebaseServiceAccountinput (ADC via WIF)deploy-liveworkflow triggers on merge to main and deploys successfully🤖 Generated with Claude Code