Skip to content

Security: Trash unnecessary workflows; Harden Others#4556

Merged
pglombardo merged 10 commits into
masterfrom
trash-workflows
Jun 13, 2026
Merged

Security: Trash unnecessary workflows; Harden Others#4556
pglombardo merged 10 commits into
masterfrom
trash-workflows

Conversation

@pglombardo

Copy link
Copy Markdown
Owner

Description

Related Issue

Type of Change

  • 📦 Dependency & security updates
  • 🔧 Bug fix (non-breaking change which fixes an issue)
  • 🥂 Improvement (non-breaking change which improves an existing feature)
  • 🚀 New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 🔐 Security fix
  • 📚 Examples / documentation / tutorials

Checklist

  • I've written tests (if applicable) for all new methods and classes that I created. (rake test)
  • I've added documentation as necessary so users can easily use and understand this feature/fix.

Add least-privilege permissions, pin third-party actions to commit SHAs,
clarify Docker fork PR job conditions, and pass chart-testing target
branch via env instead of inline shell interpolation.
Gate Campfire notify jobs on CAMPFIRE_MESSAGES_URL so forks and repos
without the secret configured do not run notification steps.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes several GitHub Actions workflows and “hardens” the remaining ones by pinning third-party actions to commit SHAs, tightening default token permissions, and skipping jobs when required secrets are not configured.

Changes:

  • Deleted multiple workflows (Ruby tests, Brakeman scanning, Dependabot automerge, Greetings).
  • Pinned remaining GitHub Actions uses: references to specific commit SHAs and added explicit permissions blocks.
  • Added secret-presence guards for Campfire/Hatchbox jobs and minor workflow logic cleanup (e.g., Docker label gating parentheses; Helm target branch env).

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
.github/workflows/ruby-tests.yml Removed Ruby/unit+system test workflow.
.github/workflows/brakeman.yml Removed Brakeman code scanning workflow.
.github/workflows/dependabot-automerge.yml Removed workflow-run-based Dependabot automerge workflow.
.github/workflows/greetings.yml Removed first-interaction greeting workflow.
.github/workflows/release-drafter.yml Pinned release-drafter action to a commit SHA.
.github/workflows/lint-helm.yaml Added read-only permissions, pinned actions, and extracted target branch env var.
.github/workflows/docker-containers.yml Added read-only permissions, pinned actions, clarified if: logic, and added fork/label notes.
.github/workflows/hatchbox-deploy.yml Added read-only permissions, pinned action, and skipped job when secret missing.
.github/workflows/campfire-notify.yml Added read-only permissions, pinned action, and skipped job when secret missing.
Comments suppressed due to low confidence (1)

.github/workflows/release-drafter.yml:22

  • This PR removes the only Ruby CI/security workflows (e.g. Ruby test runs and Brakeman scanning) without adding a replacement. After this change, the remaining workflows are Helm linting, container builds, release drafting, and optional Campfire/Hatchbox integrations—so the Rails test suite and static security scan would no longer run in GitHub Actions, which weakens the repo’s security/quality gates and doesn’t align with the stated goal of hardening.
      # Drafts your next Release notes as Pull Requests are merged into "master"
      - uses: release-drafter/release-drafter@e1247478eabc9f6d9cf5ec2b3547469b0e1d2767 # v7
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/lint-helm.yaml Outdated
Comment thread .github/workflows/docker-containers.yml
Comment thread .github/workflows/docker-containers.yml
Comment thread .github/workflows/docker-containers.yml
Comment on lines 134 to 138
- name: Build and push Docker image
uses: docker/build-push-action@v7
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
with:
context: .
file: ./containers/docker/Dockerfile.public-gateway
Comment thread .github/workflows/docker-containers.yml
Comment thread .github/workflows/docker-containers.yml
pglombardo and others added 6 commits June 13, 2026 15:55
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Peter Giacomo Lombardo <pglombardo@hey.com>
Gate all Docker container build jobs on the DOCKER_USERNAME secret so
forks and repos without Docker Hub credentials do not run scheduled,
tag, or labeled PR builds.
@pglombardo pglombardo merged commit 881a82d into master Jun 13, 2026
1 check passed
@pglombardo pglombardo deleted the trash-workflows branch June 13, 2026 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants