Harden CI/CD supply chain security (#329)

vikrantpuppala · web-flow · commit ec5798856d39 · 2026-03-26T23:56:50.000+05:30
## Summary
- Pin all GitHub Actions to verified commit SHAs (0/6 were pinned
before)
- Add explicit least-privilege `permissions:` blocks to all workflows
- Replace third-party `tisonkun/actions-dco` action with inline DCO
check script (ported from databricks-jdbc)
- Switch runners from `ubuntu-latest` to
`databricks-protected-runner-group`
- Replace `curl | sh` golangci-lint install with `go install` in
Makefile
- Add Dependabot configuration for Go modules and GitHub Actions

## Security findings addressed
Addresses findings from CI/CD supply chain security analysis:
- **Critical**: All GitHub Actions pinned to mutable tags → now
SHA-pinned
- **Critical**: No permissions blocks → explicit least-privilege scoping
- **High**: Third-party DCO action from individual publisher → inline
script
- **High**: curl|sh without checksum → go install
- **Medium**: No Dependabot → automated dependency updates

## Test plan
- [ ] Verify lint job runs successfully with golangci-lint-action
- [ ] Verify DCO check correctly passes for signed commits
- [ ] Verify DCO check correctly fails for unsigned commits
- [ ] Verify build-and-test job completes on protected runner group
- [ ] Verify Dependabot creates initial update PRs

This pull request was AI-assisted by Isaac.

Signed-off-by: Vikrant Puppala &lt;vikrant.puppala@databricks.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml
@@ -1,25 +1,101 @@
 name: DCO Check
 
-on: [pull_request]
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+
+permissions:
+  contents: read
 
 jobs:
-  check:
-    runs-on: ubuntu-latest
+  dco-check:
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: [linux-ubuntu-latest]
+    name: Check DCO Sign-off
     steps:
-      - name: Check for DCO
-        id: dco-check
-        uses: tisonkun/actions-dco@v1.1
-      - name: Comment about DCO status
-        uses: actions/github-script@v6
-        if: ${{ failure() }}
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
-          script: |
-            github.rest.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `Thanks for your contribution! To satisfy the DCO policy in our \
-              [contributing guide](https://github.com/databricks/databricks-sql-go/blob/main/CONTRIBUTING.md) \
-              every commit message must include a sign-off message. One or more of your commits is missing this message. \
-              You can reword previous commit messages with an interactive rebase (\`git rebase -i main\`).`
-            })
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Add upstream remote (for forks)
+        run: |
+          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+            echo "This is a fork, adding upstream remote"
+            git remote add upstream https://github.com/${{ github.repository }}.git
+            git fetch upstream ${{ github.event.pull_request.base.ref }}
+          else
+            echo "This is not a fork, using origin"
+          fi
+
+      - name: Check DCO Sign-off
+        run: |
+          #!/bin/bash
+          set -e
+
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          echo "Checking commits from $BASE_SHA to $HEAD_SHA"
+
+          if ! git cat-file -e "$BASE_SHA" 2>/dev/null; then
+            echo "Error: Base commit $BASE_SHA not found"
+            echo "Trying to fetch from upstream..."
+            if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+              git fetch upstream ${{ github.event.pull_request.base.ref }}
+            else
+              git fetch origin ${{ github.event.pull_request.base.ref }}
+            fi
+          fi
+
+          if ! git cat-file -e "$HEAD_SHA" 2>/dev/null; then
+            echo "Error: Head commit $HEAD_SHA not found"
+            exit 1
+          fi
+
+          COMMITS=$(git rev-list --no-merges "$BASE_SHA..$HEAD_SHA")
+
+          if [ -z "$COMMITS" ]; then
+            echo "No commits found in this PR"
+            exit 0
+          fi
+
+          FAILED_COMMITS=()
+
+          for commit in $COMMITS; do
+            echo "Checking commit: $commit"
+            COMMIT_MSG=$(git log --format=%B -n 1 "$commit")
+            if echo "$COMMIT_MSG" | grep -q "^Signed-off-by: "; then
+              echo "  Commit $commit has DCO sign-off"
+            else
+              echo "  Commit $commit is missing DCO sign-off"
+              FAILED_COMMITS+=("$commit")
+            fi
+          done
+
+          if [ ${#FAILED_COMMITS[@]} -ne 0 ]; then
+            echo ""
+            echo "DCO Check Failed!"
+            echo "The following commits are missing the required 'Signed-off-by' line:"
+            for commit in "${FAILED_COMMITS[@]}"; do
+              echo "  - $commit: $(git log --format=%s -n 1 "$commit")"
+            done
+            echo ""
+            echo "To fix this, you need to sign off your commits. You can:"
+            echo "1. Add sign-off to new commits: git commit -s -m 'Your commit message'"
+            echo "2. Amend existing commits: git commit --amend --signoff"
+            echo "3. For multiple commits, use: git rebase --signoff HEAD~N (where N is the number of commits)"
+            echo ""
+            echo "The sign-off should be in the format:"
+            echo "Signed-off-by: Your Name <your.email@example.com>"
+            echo ""
+            echo "For more details, see CONTRIBUTING.md"
+            exit 1
+          else
+            echo ""
+            echo "All commits have proper DCO sign-off!"
+          fi
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -6,23 +6,28 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: [linux-ubuntu-latest]
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go Toolchain
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: '1.20.x'
           cache: false
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4
         with:
           version: 'v1.51'
   build-and-test:
@@ -31,20 +36,22 @@ jobs:
       matrix:
         go-version: [1.20.x]
         os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: [linux-ubuntu-latest]
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go Toolchain
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ matrix.go-version }}
           cache: false
 
       - name: Cache Go artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/go/pkg/mod
diff --git a/Makefile b/Makefile
@@ -35,7 +35,7 @@ help:  ## Show this help.
 all: gen fmt lint test coverage  ## format and test everything
 
 bin/golangci-lint: go.mod go.sum
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b ./bin v1.48.0
+	GOBIN=$(pwd)/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0
 
 bin/gotestsum: go.mod go.sum
 	@mkdir -p bin/
