Skip to content

Implement repository security checklist #1798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mdjastrzebski merged 1 commit into from
Jul 16, 2025
Merged

Implement repository security checklist #1798

mdjastrzebski merged 1 commit into from
Jul 16, 2025
+17 −0

Conversation

@mdjastrzebski
Copy link
Member

@mdjastrzebski mdjastrzebski commented Jul 16, 2025

Summary

This pull request implements a comprehensive security checklist for GitHub Actions workflows to enhance the repository's security posture.

Key changes include:

  • Least Privilege Permissions: All workflows and jobs now explicitly define permissions: contents: read by default, adhering to the principle of least privilege. The website deployment job has specific, minimal permissions (contents: read, pages: write, id-token: write).
  • Secret Protection: The CODECOV_TOKEN is no longer used in workflows triggered by forks (pull_request). Code coverage reports are now uploaded as artifacts during PR builds and then securely processed by a dedicated job that runs only on push events to the main branch.
  • Secure Trigger & Checkout Practices: Verified that pull_request_target is not used, and all checkouts utilize secure SHA-based references, avoiding unsafe head refs.
  • Clear Trust Boundaries: Established clear separation, ensuring secrets are only accessible in trusted contexts (e.g., main branch pushes for deployment and Codecov uploads).

Test plan

  1. Create a Pull Request from a Fork:
    • Submit a PR from a forked repository.
    • Verify that the ci.yml workflow runs successfully.
    • Confirm that the upload-coverage job within ci.yml is skipped (as it should only run on push to main).
    • Verify that example-apps.yml and website.yml workflows also run successfully with their updated permissions.
  2. Push to main Branch (or Merge PR):
    • Merge the PR to the main branch or push a commit directly to main.
    • Verify that the ci.yml workflow runs successfully, including the upload-coverage job.
    • Confirm that Codecov reports are updated as expected.
    • Verify that the website.yml workflow runs successfully and the website deploys correctly to GitHub Pages.
@mdjastrzebski mdjastrzebski force-pushed the cursor/implement-repository-security-checklist-23c0 branch from 5e5c5ce to a1e3a48 Compare July 16, 2025 16:15
@codecov
Copy link

codecov bot commented Jul 16, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.34%. Comparing base (3ba3242) to head (a1e3a48).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@ Coverage Diff @@ ## main #1798 +/- ## ======================================== Coverage 95.34% 95.34% ======================================== Files 94 94 Lines 5244 5244 Branches 893 574 -319 ======================================== Hits 5000 5000 Misses 244 244

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
@mdjastrzebski mdjastrzebski merged commit dbab370 into main Jul 16, 2025
7 checks passed
@mdjastrzebski mdjastrzebski deleted the cursor/implement-repository-security-checklist-23c0 branch July 16, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@mdjastrzebski