update workflows to use specific action versions and adding harden-runner steps to improve security#158
Conversation
…nner steps to improve security
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
aaudzei
left a comment
There was a problem hiding this comment.
Please double check if this output is expected from CodeQL run: https://github.com/microsoft/azure-devops-mcp/pull/158/checks?check_run_id=45081126856
Otherwise looks good.
|
@polatengin can you please validate and then let us know so we can merge?
|
yes, after merge, the warning should gone 👍 please merge. |
To mitigate security concerns, we have made changes to the workflows to use specific action versions and added harden-runner steps to improve security.
Following best practices outlined in the official GitHub documentation on Security Hardening for GitHub Actions all GitHub Action steps have been updated to use full-length commit SHAs instead of mutable tags using Harden-Runner.
(for example;
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2instead of- uses: actions/checkout@v4)This ensures that the exact, immutable version of an action is used, preventing unexpected or malicious code changes from being introduced via tag updates by action maintainers.
harden-runnerWe have integrated Harden-Runner into our workflows as recommended by the Security Hardening for GitHub Actions guide.
Harden-Runner enhances the security posture of our pipelines by restricting the permissions of the runner, reducing the attack surface, and providing additional safeguards against supply chain attacks. This helps to control the environment in which the code runs, further limiting the potential for malicious execution.
Harden-Runner also monitoring and disallowing unauthorized outbound web requests and REST API calls.
GitHub issue number
Fixes #122
Associated Risks
None
✅ PR Checklist
🧪 How did you test it?
N/A