Security: Trash unnecessary workflows; Harden Others#4556
Merged
Conversation
Add least-privilege permissions, pin third-party actions to commit SHAs, clarify Docker fork PR job conditions, and pass chart-testing target branch via env instead of inline shell interpolation.
Gate Campfire notify jobs on CAMPFIRE_MESSAGES_URL so forks and repos without the secret configured do not run notification steps.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes several GitHub Actions workflows and “hardens” the remaining ones by pinning third-party actions to commit SHAs, tightening default token permissions, and skipping jobs when required secrets are not configured.
Changes:
- Deleted multiple workflows (Ruby tests, Brakeman scanning, Dependabot automerge, Greetings).
- Pinned remaining GitHub Actions
uses:references to specific commit SHAs and added explicitpermissionsblocks. - Added secret-presence guards for Campfire/Hatchbox jobs and minor workflow logic cleanup (e.g., Docker label gating parentheses; Helm target branch env).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/ruby-tests.yml | Removed Ruby/unit+system test workflow. |
| .github/workflows/brakeman.yml | Removed Brakeman code scanning workflow. |
| .github/workflows/dependabot-automerge.yml | Removed workflow-run-based Dependabot automerge workflow. |
| .github/workflows/greetings.yml | Removed first-interaction greeting workflow. |
| .github/workflows/release-drafter.yml | Pinned release-drafter action to a commit SHA. |
| .github/workflows/lint-helm.yaml | Added read-only permissions, pinned actions, and extracted target branch env var. |
| .github/workflows/docker-containers.yml | Added read-only permissions, pinned actions, clarified if: logic, and added fork/label notes. |
| .github/workflows/hatchbox-deploy.yml | Added read-only permissions, pinned action, and skipped job when secret missing. |
| .github/workflows/campfire-notify.yml | Added read-only permissions, pinned action, and skipped job when secret missing. |
Comments suppressed due to low confidence (1)
.github/workflows/release-drafter.yml:22
- This PR removes the only Ruby CI/security workflows (e.g. Ruby test runs and Brakeman scanning) without adding a replacement. After this change, the remaining workflows are Helm linting, container builds, release drafting, and optional Campfire/Hatchbox integrations—so the Rails test suite and static security scan would no longer run in GitHub Actions, which weakens the repo’s security/quality gates and doesn’t align with the stated goal of hardening.
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@e1247478eabc9f6d9cf5ec2b3547469b0e1d2767 # v7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
134
to
138
| - name: Build and push Docker image | ||
| uses: docker/build-push-action@v7 | ||
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 | ||
| with: | ||
| context: . | ||
| file: ./containers/docker/Dockerfile.public-gateway |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Peter Giacomo Lombardo <pglombardo@hey.com>
Gate all Docker container build jobs on the DOCKER_USERNAME secret so forks and repos without Docker Hub credentials do not run scheduled, tag, or labeled PR builds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Related Issue
Type of Change
Checklist
rake test)