ci: GHA workflow security cleanup#703
Conversation
Set persist-credentials: false on every actions/checkout step so the default GITHUB_TOKEN is not left in the local git config after checkout. None of these jobs push or write back through the checked-out clone, so keeping the credential available was unused exposure.
|
Warning Review limit reached
More reviews will be available in 51 minutes and 34 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
WalkthroughThis PR hardens four GitHub Actions workflows by pinning third-party actions to specific commit SHAs instead of floating version tags. Workflow and job-level permissions are explicitly declared. The integration test workflow refactors environment variable handling and the docs workflow updates build output references. ChangesCI/CD Workflow Action Pinning and Permissions
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/features.yml:
- Line 18: Replace the broad "secrets: inherit" entry in the caller workflow
with an explicit mapping for only the secret consumed by the reusable workflow
(the reusable workflow ably/features/.github/workflows/sdk-features.yml declares
on.workflow_call.secrets and uses ABLY_AWS_ACCOUNT_ID_SDK); remove "secrets:
inherit" and add a single secrets mapping that passes ABLY_AWS_ACCOUNT_ID_SDK
from the caller (ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK
}}), ensuring least-privilege secret propagation to the reusable workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ff4a2fe3-03d7-4274-8d09-d3a44c0a26dd
📒 Files selected for processing (4)
.github/workflows/check.yml.github/workflows/docs.yml.github/workflows/features.yml.github/workflows/integration-test.yml
Add a top-level `permissions: {}` to each workflow and grant each job
only the scopes it actually needs:
- check / integration-test: `contents: read` for checkout,
`checks: write` for the JUnit test reporter.
- docs: `contents: read` for checkout, alongside the existing
`deployments: write` and `id-token: write` used by the SDK
upload and AWS OIDC steps.
- features: `contents: read` for the reusable workflow it calls.
This replaces the default token scope (which depends on repo settings
and historically defaults to read/write across the board).
Move workflow-context interpolations (`${{ ... }}`) out of `run:`
shell source and into per-step `env:` bindings. The shell now sees
ordinary environment variables instead of pre-expanded text, so values
sourced from matrix entries or step outputs cannot terminate the
surrounding quotes and inject shell.
- docs.yml: `steps.sdk-upload-prempt.outputs.url-base` (a step
output) becomes $BASE_URL. `github.sha` is dropped in favour of
the $GITHUB_SHA env var GitHub already exports to every step.
- integration-test.yml: `matrix.protocol` and the JSON/msgpack
derivation become $PROTOCOL and $ABLY_PROTOCOL.
Replace tag-based action references with the matching commit SHA, with the original tag preserved as a trailing comment. Tags are mutable and can be repointed by the upstream owner at any time, so pinning to SHAs keeps the running code stable until we deliberately bump it. Pinned in this commit: - actions/checkout (v2) - actions/setup-go (v2) - ably/test-observability-action (v1) - dorny/test-reporter (v1) - ably/sdk-upload-action (v2) - aws-actions/configure-aws-credentials (v1) - ably/features/.github/workflows/sdk-features.yml (main) The pinned SHAs were taken from each repository's current resolution of the tag/branch, so behaviour matches what was running before this commit. Future updates flow through a normal version bump PR.
7c06abf to
059da6e
Compare
Routine hygiene pass over the GitHub Actions workflows in this repo, addressing findings from a workflow security audit. Changes are split into four commits, one per finding type:
No behavioural changes intended — the workflows run the same checks against the same inputs.
Summary by CodeRabbit