Skip to content

ci: harden GitHub Actions workflows#1402

Merged
sserrata merged 1 commit intomainfrom
ci/security-hardening
Apr 9, 2026
Merged

ci: harden GitHub Actions workflows#1402
sserrata merged 1 commit intomainfrom
ci/security-hardening

Conversation

@sserrata
Copy link
Copy Markdown
Member

@sserrata sserrata commented Apr 9, 2026

Summary

Ports the pan.dev post-incident CI hardening checklist to this repo.

  • persist-credentials: false on all actions/checkout steps
  • Pass github.actor / job outputs via env: instead of ${{ }} shell interpolation
  • Constrain artifact extraction with unzip -n build.zip 'demo/build/*'
  • Post-build git diff --exit-code tamper check on deploy-affecting config
  • environment: preview / environment: production on deploy jobs
  • Screenshot cache: restore-only + SHA-pinned on PR path; new trusted writer job on push: main
  • concurrency: group on live deploy
  • Add .github/CODEOWNERS (@PaloAltoNetworks/docusaurus-openapi-maintainers) for build-critical paths
  • Remove obsolete canary-beta-release.yml

Prerequisites

  • preview and production environments created in repo settings
  • @PaloAltoNetworks/docusaurus-openapi-maintainers team has write access to this repo

Test plan

  • Open a PR from a fork → verify analyze_unsafe gates on default env, build runs with no token in .git/config
  • Merge to main → verify live deploy serializes and cache_prod_screenshots populates prod-screenshots-<hash>
  • Subsequent PR → verify visual_diff restores cache (hit)

🤖 Generated with Claude Code

@sserrata @claude
ci: harden GitHub Actions workflows
4179d3e 
Port the pan.dev post-incident hardening checklist:
- persist-credentials: false on all checkouts
- pass user-controlled context via env vars, not shell interpolation
- constrain artifact unzip to demo/build/*
- post-build tamper diff on deploy-affecting config
- environment: preview/production on deploy jobs
- restore-only, SHA-pinned screenshot cache on PR path; trusted writer on main
- concurrency group on live deploy
- add CODEOWNERS for build-critical paths
- remove obsolete canary-beta-release workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Size Change: 0 B

Total Size: 2.26 MB

ℹ️ View Unchanged
Filename Size
demo/.docusaurus/codeTranslations.json 2 B
demo/.docusaurus/docusaurus.config.mjs 16.3 kB
demo/.docusaurus/globalData.json 69.2 kB
demo/.docusaurus/i18n.json 372 B
demo/.docusaurus/registry.js 100 kB
demo/.docusaurus/routes.js 94.6 kB
demo/.docusaurus/routesChunkNames.json 39.3 kB
demo/.docusaurus/site-metadata.json 1.58 kB
demo/build/assets/css/styles.********.css 171 kB
demo/build/assets/js/main.********.js 664 kB
demo/build/assets/js/runtime~main.********.js 23.2 kB
demo/build/index.html 95.6 kB
demo/build/petstore/add-pet/index.html 30 kB
demo/build/petstore/create-user/index.html 24.7 kB
demo/build/petstore/create-users-with-array-input/index.html 24.8 kB
demo/build/petstore/create-users-with-list-input/index.html 24.8 kB
demo/build/petstore/delete-order/index.html 24.5 kB
demo/build/petstore/delete-pet/index.html 24.8 kB
demo/build/petstore/delete-user/index.html 25 kB
demo/build/petstore/find-pets-by-status/index.html 25.5 kB
demo/build/petstore/find-pets-by-tags/index.html 25.7 kB
demo/build/petstore/get-inventory/index.html 23.8 kB
demo/build/petstore/get-order-by-id/index.html 24.8 kB
demo/build/petstore/get-pet-by-id/index.html 25.6 kB
demo/build/petstore/get-user-by-name/index.html 25.1 kB
demo/build/petstore/login-user/index.html 25.6 kB
demo/build/petstore/logout-user/index.html 24.4 kB
demo/build/petstore/new-pet/index.html 25 kB
demo/build/petstore/pet/index.html 23.2 kB
demo/build/petstore/place-order/index.html 24 kB
demo/build/petstore/schemas/apiresponse/index.html 25.2 kB
demo/build/petstore/schemas/cat/index.html 39 kB
demo/build/petstore/schemas/category/index.html 26.3 kB
demo/build/petstore/schemas/dog/index.html 39.3 kB
demo/build/petstore/schemas/honeybee/index.html 39.3 kB
demo/build/petstore/schemas/id/index.html 23.4 kB
demo/build/petstore/schemas/order/index.html 27.3 kB
demo/build/petstore/schemas/pet/index.html 38.8 kB
demo/build/petstore/schemas/tag/index.html 24.7 kB
demo/build/petstore/schemas/user/index.html 40.7 kB
demo/build/petstore/store/index.html 22.2 kB
demo/build/petstore/subscribe-to-the-store-events/index.html 30.9 kB
demo/build/petstore/swagger-petstore-yaml/index.html 30.9 kB
demo/build/petstore/update-pet-with-form/index.html 25 kB
demo/build/petstore/update-pet/index.html 25.4 kB
demo/build/petstore/update-user/index.html 25 kB
demo/build/petstore/upload-file/index.html 24.8 kB
demo/build/petstore/user/index.html 22.9 kB

compressed-size-action

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Visit the preview URL for this PR (updated for commit 4179d3e):

https://docusaurus-openapi-36b86--pr1402-349n1ara.web.app

(expires Thu, 16 Apr 2026 22:02:02 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: bf293780ee827f578864d92193b8c2866acd459f

@sserrata sserrata merged commit 33e84cd into main Apr 9, 2026
11 checks passed
@sserrata sserrata deleted the ci/security-hardening branch April 9, 2026 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sserrata