Harden github action#1766
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions workflows by reducing credential persistence during checkouts and tightening a few workflow inputs/env usages.
Changes:
- Disable checkout credential persistence (
persist-credentials: false) in multiple jobs. - Quote the Go version string in the VulnDB workflow.
- Adjust the release job to use runner env vars for
GITHUB_REFand pass the tag output viaenv, plus disablesetup-gocaching there.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/vulndb.yaml | Disables persisted checkout credentials and normalizes go-version formatting. |
| .github/workflows/devguard-scanner.yaml | Disables persisted checkout credentials in multiple jobs and tweaks the release job’s tag/build flag handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 |
There was a problem hiding this comment.
In the release job, actions/checkout@v4 and actions/setup-go@v5 are referenced by mutable tags while the earlier jobs pin these actions by commit SHA. For a hardened workflow, pin these actions to specific commit SHAs (and keep the version comment) to reduce supply-chain risk.
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5 |
| @@ -170,7 +174,7 @@ jobs: | |||
| mkdir -p dist | |||
|
|
|||
| # Build flags for security-hardened binaries | |||
| BUILD_FLAGS="-s -w -buildid= -X main.version=${{ steps.tag.outputs.tag }} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions" | |||
| BUILD_FLAGS="-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions" | |||
There was a problem hiding this comment.
steps.tag.outputs.tag is ultimately injected into Go -ldflags as part of BUILD_FLAGS. Git tags can contain whitespace or other characters that could unintentionally alter the flags. Consider validating/sanitizing the tag value (e.g., enforce an expected semver/tag regex and fail otherwise) before using it in -ldflags.
No description provided.