Skip to content

ci: GHA workflow security cleanup#703

Merged
emptyhammond merged 4 commits into
mainfrom
worktree-fixup-workflows
Jun 26, 2026
Merged

ci: GHA workflow security cleanup#703
emptyhammond merged 4 commits into
mainfrom
worktree-fixup-workflows

Conversation

@emptyhammond

@emptyhammond emptyhammond commented May 26, 2026

Copy link
Copy Markdown
Contributor

Routine hygiene pass over the GitHub Actions workflows in this repo, addressing findings from a workflow security audit. Changes are split into four commits, one per finding type:

  • Disable credential persistence on actions/checkout steps so the default GITHUB_TOKEN is not left in the local git config after checkout.
  • Scope each job's permissions explicitly: top-level permissions: {}, with each job granted only the GITHUB_TOKEN scopes it actually needs.
  • Move workflow-context expansions (${{ matrix.protocol }}, step outputs) out of run: shell source and into env: bindings.
  • Pin all third-party actions to commit SHAs (with the tag preserved as a comment) so an upstream tag move can't silently change what runs in CI.

No behavioural changes intended — the workflows run the same checks against the same inputs.

Summary by CodeRabbit

  • Chores
    • Pinned GitHub Actions and third-party actions to specific commit SHAs for enhanced security and build consistency across multiple workflows.
    • Added explicit permission scoping to workflows to enforce principle of least privilege.
    • Updated workflow configurations for improved environment variable handling and credential management.

Review Change Stack

Set persist-credentials: false on every actions/checkout step so the
default GITHUB_TOKEN is not left in the local git config after checkout.
None of these jobs push or write back through the checked-out clone, so
keeping the credential available was unused exposure.
@emptyhammond emptyhammond requested a review from sacOO7 May 26, 2026 12:16
@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@emptyhammond, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 315415ae-a242-4f49-82ad-0518a72b0d08

📥 Commits

Reviewing files that changed from the base of the PR and between 7c06abf and 059da6e.

📒 Files selected for processing (4)
  • .github/workflows/check.yml
  • .github/workflows/docs.yml
  • .github/workflows/features.yml
  • .github/workflows/integration-test.yml

Walkthrough

This PR hardens four GitHub Actions workflows by pinning third-party actions to specific commit SHAs instead of floating version tags. Workflow and job-level permissions are explicitly declared. The integration test workflow refactors environment variable handling and the docs workflow updates build output references.

Changes

CI/CD Workflow Action Pinning and Permissions

Layer / File(s) Summary
Check workflow action pinning and permissions
.github/workflows/check.yml
actions/checkout, actions/setup-go, ably/test-observability-action, and dorny/test-reporter are pinned to commit SHAs with explicit permission declarations.
Features workflow permissions and reusable workflow pinning
.github/workflows/features.yml
Explicit workflow/job permissions (permissions: {} and contents: read) are added; the reusable workflow reference is pinned from @main to a specific commit SHA.
Documentation workflow action pinning and output reference updates
.github/workflows/docs.yml
actions/checkout, actions/setup-go, ably/sdk-upload-action, and aws-actions/configure-aws-credentials are pinned to commit SHAs. The gopages build step now references steps.sdk-upload-prempt.outputs.url-base for BASE_URL and uses GITHUB_SHA for the source-link URL instead of github.sha.
Integration test workflow permissions, action pinning, and environment variable refactoring
.github/workflows/integration-test.yml
Explicit permissions (contents: read, checks: write) are declared. actions/checkout and actions/setup-go are pinned to commit SHAs with credential persistence disabled. PROTOCOL and ABLY_PROTOCOL are refactored from inline exports to step-level environment variables. Observability and test-reporter actions are pinned to commit SHAs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Actions pinned down so tight,
No floating tags in the night,
Permissions blessed with care so true,
Workflows hardened, shiny new! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: GHA workflow security cleanup' directly and concisely summarizes the main change: a security-focused update to GitHub Actions workflows addressing audit findings.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-fixup-workflows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/features.yml:
- Line 18: Replace the broad "secrets: inherit" entry in the caller workflow
with an explicit mapping for only the secret consumed by the reusable workflow
(the reusable workflow ably/features/.github/workflows/sdk-features.yml declares
on.workflow_call.secrets and uses ABLY_AWS_ACCOUNT_ID_SDK); remove "secrets:
inherit" and add a single secrets mapping that passes ABLY_AWS_ACCOUNT_ID_SDK
from the caller (ABLY_AWS_ACCOUNT_ID_SDK: ${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK
}}), ensuring least-privilege secret propagation to the reusable workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ff4a2fe3-03d7-4274-8d09-d3a44c0a26dd

📥 Commits

Reviewing files that changed from the base of the PR and between 439d9f3 and 7c06abf.

📒 Files selected for processing (4)
  • .github/workflows/check.yml
  • .github/workflows/docs.yml
  • .github/workflows/features.yml
  • .github/workflows/integration-test.yml

Comment thread .github/workflows/features.yml Outdated
@github-actions github-actions Bot temporarily deployed to staging/pull/703/godoc May 26, 2026 13:46 Inactive
Add a top-level `permissions: {}` to each workflow and grant each job
only the scopes it actually needs:

  - check / integration-test: `contents: read` for checkout,
    `checks: write` for the JUnit test reporter.
  - docs: `contents: read` for checkout, alongside the existing
    `deployments: write` and `id-token: write` used by the SDK
    upload and AWS OIDC steps.
  - features: `contents: read` for the reusable workflow it calls.

This replaces the default token scope (which depends on repo settings
and historically defaults to read/write across the board).
Move workflow-context interpolations (`${{ ... }}`) out of `run:`
shell source and into per-step `env:` bindings. The shell now sees
ordinary environment variables instead of pre-expanded text, so values
sourced from matrix entries or step outputs cannot terminate the
surrounding quotes and inject shell.

  - docs.yml: `steps.sdk-upload-prempt.outputs.url-base` (a step
    output) becomes $BASE_URL. `github.sha` is dropped in favour of
    the $GITHUB_SHA env var GitHub already exports to every step.
  - integration-test.yml: `matrix.protocol` and the JSON/msgpack
    derivation become $PROTOCOL and $ABLY_PROTOCOL.
Replace tag-based action references with the matching commit SHA, with
the original tag preserved as a trailing comment. Tags are mutable and
can be repointed by the upstream owner at any time, so pinning to SHAs
keeps the running code stable until we deliberately bump it.

Pinned in this commit:

  - actions/checkout                  (v2)
  - actions/setup-go                  (v2)
  - ably/test-observability-action    (v1)
  - dorny/test-reporter               (v1)
  - ably/sdk-upload-action            (v2)
  - aws-actions/configure-aws-credentials (v1)
  - ably/features/.github/workflows/sdk-features.yml (main)

The pinned SHAs were taken from each repository's current resolution of
the tag/branch, so behaviour matches what was running before this
commit. Future updates flow through a normal version bump PR.
@emptyhammond emptyhammond merged commit aab2209 into main Jun 26, 2026
8 checks passed
@emptyhammond emptyhammond deleted the worktree-fixup-workflows branch June 26, 2026 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants