Skip to content

GitHub actions security#1761

Open
jksolbakken wants to merge 5 commits intosuitenumerique:mainfrom
jksolbakken:gh-actions-security
Open

GitHub actions security#1761
jksolbakken wants to merge 5 commits intosuitenumerique:mainfrom
jksolbakken:gh-actions-security

Conversation

@jksolbakken
Copy link

@jksolbakken jksolbakken commented Dec 23, 2025
edited
Loading

Purpose

Some suggestions on improving the security of the workflows as detected by Zizmor

External contributions

Thank you for your contribution! 🎉

Please ensure the following items are checked before submitting your pull request:

  • I have read and followed the contributing guidelines
  • I have read and agreed to the Code of Conduct
  • I have signed off my commits with git commit --signoff (DCO compliance)
  • I have signed my commits with my SSH or GPG key (git commit -S)
  • My commit messages follow the required format: <gitmoji>(type) title description
  • I have added a changelog entry under ## [Unreleased] section (if noticeable change)
  • I have added corresponding tests for new features or bug fixes (if applicable)

@jksolbakken
🔒 (CI) Pin actions to immutable versions
6a7a8de 
Signed-off-by: J-K. Solbakken <jk@jksolbakken.no>
@jksolbakken
🔒 (CI) Prevent command injection
1c06d2f 
Signed-off-by: J-K. Solbakken <jk@jksolbakken.no>
@jksolbakken
🔒 (CI) Prevent cache poisoning as suggested by Zizmor
7644ab1 
Signed-off-by: J-K. Solbakken <jk@jksolbakken.no>
@jksolbakken
🔒 (CI) No need to store these creds, they may be abused by other actions
5debf55 
Signed-off-by: J-K. Solbakken <jk@jksolbakken.no>
@jksolbakken
🔒 (CI) Avoid overly broad permissions for jobs, be explicit
8b6fa33 
Signed-off-by: J-K. Solbakken <jk@jksolbakken.no>
@lunika
Copy link
Member

lunika commented Jan 8, 2026

Hi,

Thank you for your contribution, I'm reviewing it.

Did you use a tool to change the actions tags by their corresponding hash ?
Thanks

lunika
lunika reviewed Jan 8, 2026
View reviewed changes
.github/workflows/impress.yml
services:
postgres:
image: postgres:16
image: index.docker.io/library/postgres@sha256:d4c3314b2dd74ff23cd6cd07e4d7e737cb6ef791c22a7cbd744cfbfb4815df72 # ratchet:postgres:16
Copy link
Member

@lunika lunika Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did zizmor report this ?

I revert it and zizmor is not warning me.

.github/workflows/crowdin_download.yml
path: "src/frontend/**/node_modules"
key: front-node_modules-${{ hashFiles('src/frontend/**/yarn.lock') }}
fail-on-cache-miss: true
lookup-only: true
Copy link
Member

@lunika lunika Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we should use it here. We want to download the cache.

.github/workflows/docker-hub.yml
Comment on lines +157 to +175



















Copy link
Member

@lunika lunika Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove all this lines I think :-)

@jksolbakken
Copy link
Author

jksolbakken commented Jan 30, 2026

The tool I used to pin the hashes is called Ratchet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunika lunika lunika left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jksolbakken @lunika