Skip to content

Harden GitHub Actions with top-level permissions and SHA pinning #422

Description

@tristantarrant

Add explicit top-level permissions blocks to all workflow files, defaulting to contents: read with elevated scopes only where needed. Pin every external action reference to immutable 40-char commit SHAs with trailing version comments, preventing supply-chain attacks via mutable tag/branch references.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Priority

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions