Skip to content

Comments

CI hardening: pin GitHub Actions to SHAs and define explicit job permissions#3174

Merged
arkid15r merged 3 commits intoOWASP:mainfrom
SuyashJain17:ci-hardening-clean
Jan 4, 2026
Merged

CI hardening: pin GitHub Actions to SHAs and define explicit job permissions#3174
arkid15r merged 3 commits intoOWASP:mainfrom
SuyashJain17:ci-hardening-clean

Conversation

@SuyashJain17
Copy link
Contributor

@SuyashJain17 SuyashJain17 commented Jan 4, 2026

Proposed change

Resolves #3166

This PR hardens the CI/CD workflow by aligning it with GitHub Actions security best practices.

Summary of changes

  • Pin GitHub Actions to specific commit SHAs to reduce supply-chain risk
  • Define explicit job-level permissions to enforce least-privilege access and improve clarity

Notes

  • No functional or behavioral changes to the workflow
  • Improves security, maintainability, and auditability
  • Follows existing CI hardening patterns already used in the repository

Checklist

  • Required: I read and followed the contributing guidelines
  • Required: I ran make check-test locally and all tests passed
  • I used AI for code, documentation, or tests in this PR

@github-actions github-actions bot added the ci label Jan 4, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 4, 2026
edited
Loading

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflow to pin external action versions for greater stability.
    • Corrected a workflow job name spelling.
    • Expanded job-level permissions configuration to align with publication needs.

✏️ Tip: You can customize this high-level summary in your review settings.

Walkthrough

Updated the .github/workflows/run-ci-cd.yaml workflow: pinned the pre-commit cache action to a commit SHA, corrected a job name typo, and added an explicit empty permissions block to the set-release-version job.

Changes

Cohort / File(s) Summary
GitHub Actions workflow
.github/workflows/run-ci-cd.yaml		 Pinned actions/cache from v5 to commit 9255dc7a253b0ccc959486e2bca901246202afeb; renamed job Run CI Denendencies ScanRun CI Dependencies Scan; added permissions: {} to set-release-version job.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Suggested reviewers

  • kasya

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly describes the main changes: pinning GitHub Actions to SHAs and defining explicit job permissions for CI hardening.
Description check ✅ Passed The description is related to the changeset and clearly explains the security improvements, including pinning actions and adding permissions.
Linked Issues check ✅ Passed The pull request fully meets issue #3166 objectives: pinned actions/cache to commit SHA, added explicit permissions block to set-release-version job, and fixed typo.
Out of Scope Changes check ✅ Passed All changes are directly scoped to issue #3166: pinning actions/cache, adding permissions to set-release-version, and fixing a typo in the scan-ci-dependencies job name.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 471a9ba and e4101a7.

📒 Files selected for processing (1)
  • .github/workflows/run-ci-cd.yaml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-21T19:03:59.068Z 
Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

  • .github/workflows/run-ci-cd.yaml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 4, 2026
View reviewed changes
arkid15r
arkid15r approved these changes Jan 4, 2026
View reviewed changes
Copy link
Collaborator

@arkid15r arkid15r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@arkid15r arkid15r enabled auto-merge January 4, 2026 19:57
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@arkid15r arkid15r added this pull request to the merge queue Jan 4, 2026
Merged via the queue into OWASP:main with commit 0657599 Jan 4, 2026
26 checks passed
@coderabbitai coderabbitai bot mentioned this pull request Jan 5, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkid15r arkid15r arkid15r approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@kasya kasya Awaiting requested review from kasya kasya is a code owner

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI hardening: pin GitHub Action versions and define explicit job permissions

2 participants

@SuyashJain17 @arkid15r