ci: Harden Marketplace release pipelines against supply-chain attacks#5083
Open
iliev01 wants to merge 1 commit intogitkraken:mainfrom
Open
ci: Harden Marketplace release pipelines against supply-chain attacks#5083iliev01 wants to merge 1 commit intogitkraken:mainfrom
iliev01 wants to merge 1 commit intogitkraken:mainfrom
Conversation
…missions - cd-stable.yml: Pin checkout, setup-node, pnpm/action-setup, changelog-reader-action, and action-gh-release to commit SHAs - cd-pre.yml: Pin checkout, setup-node, pnpm/action-setup, and upload-artifact to commit SHAs; add permissions block to publish job - ci.yml: Add top-level permissions: contents: read; pin checkout, setup-node, pnpm/action-setup, cache, and upload-artifact to commit SHAs Signed-off-by: Atanas Iliev <atanas.iliev.ai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens the Marketplace release pipelines and the CI pipeline of
gitkraken/vscode-gitlensagainst supply-chain attacks by pinning all GitHub Actions to immutable commit SHAs and enforcing least-privilege permissions.GitLens publishes to the VS Code Marketplace (millions of installs) and OpenVSIX — making the release pipelines exceptionally high-value targets. A compromised mutable action tag could silently inject malicious code into the published
.vsixartifact, affecting all downstream users.Changes
.github/workflows/cd-stable.ymlactions/checkout@v4→@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node@v4→@49933ea5288caeca8642d1e84afbd3f7d6820020pnpm/action-setup@v3→@a3252b78c470c02df07e9d59298aecedc3ccdd6dmindsers/changelog-reader-action@v2→@32aa5b4c155d76c94e4ec883a223c947b2f02656softprops/action-gh-release@v2→@153bb8e04406b158c6c84fc1615b65b24149a1fe.github/workflows/cd-pre.ymlactions/checkout@v4→@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node@v4→@49933ea5288caeca8642d1e84afbd3f7d6820020pnpm/action-setup@v3→@a3252b78c470c02df07e9d59298aecedc3ccdd6dactions/upload-artifact@v4→@ea165f8d65b6e75b540449e92b4886f43607fa02permissions: { contents: read }to thepublishjob to enforce least-privilege (thecheckjob already had proper permissions).github/workflows/ci.ymlpermissions: { contents: read }to restrict default GITHUB_TOKEN scope across all three jobs (build,unit-tests,e2e-tests)actions/checkout@v4→@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node@v4→@49933ea5288caeca8642d1e84afbd3f7d6820020pnpm/action-setup@v4→@b906affcce14559ad1aafd4ab0e942779e9f58b1actions/cache@v4→@0057852bfaa89a56745cba8c7296529d2fc39830actions/upload-artifact@v4→@ea165f8d65b6e75b540449e92b4886f43607fa02Security Rationale
Mutable version tags (e.g.,
@v4) allow action authors — or an attacker who gains write access — to silently substitute the code that runs during CI/CD. Pinning to immutable commit SHAs eliminates this attack vector entirely. Adding explicitpermissionsblocks enforces least privilege, limiting what theGITHUB_TOKENcan access.This is especially critical for the
cd-stable.ymlandcd-pre.ymlpipelines which handle Marketplace PATs and produce the.vsixartifacts that ship to millions of developers.All
# v...comments are preserved next to pinned SHAs for maintainability.Consistent with OSSF Scorecard, StepSecurity Harden-Runner, and the GitHub Actions Security Hardening Guide.