Skip to content

chore(ci): harden github actions #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2025
Merged

chore(ci): harden github actions #229

merged 1 commit into from
Oct 3, 2025

Conversation

step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Oct 3, 2025
edited by coderabbitai bot
Loading

Summary

This pull request is created by StepSecurity at the request of @rhamzeh. Please merge the Pull Request to incorporate the requested changes. Please tag @rhamzeh on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Detect Vulnerabilities with SAST Workflow

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as clear-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

  • Chores
    • Added automated CodeQL analysis on pushes, pull requests, and a weekly schedule to surface security issues.
    • Introduced dependency review on pull requests to block known vulnerable packages.
    • Enabled a pre-commit secret scan (gitleaks) to prevent committing sensitive information.
    • Tightened workflow permissions to follow least-privilege defaults for improved security.
@step-security-bot
chore(ci): harden github actions
910a554 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@step-security-bot step-security-bot requested a review from a team as a code owner October 3, 2025 13:30
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 3, 2025
edited
Loading

Walkthrough

Adds two GitHub Actions workflows for CodeQL and dependency review, updates permissions in an existing workflow, and introduces a pre-commit gitleaks hook.

Changes

Cohort / File(s) Summary
Security scanning workflows
.github/workflows/codeql.yml, .github/workflows/dependency-review.yml		 Introduces CodeQL analysis (Python language) and a Dependency Review workflow triggered on PRs; both pin action SHAs and set appropriate permissions.
Workflow permissions update
.github/workflows/main.yaml		 Adds top-level and job-level contents: read permissions; no control-flow changes.
Pre-commit hooks
.pre-commit-config.yaml		 Adds gitleaks v8.16.3 pre-commit hook configuration.

Sequence Diagram(s)

sequenceDiagram actor Dev as Developer participant GH as GitHub participant W1 as Workflow: CodeQL participant W2 as Workflow: Dependency Review participant W3 as Workflow: main.yaml (tests) Dev->>GH: Push / Pull Request / Schedule alt PR to main GH-->>W1: Trigger CodeQL GH-->>W2: Trigger Dependency Review GH-->>W3: Trigger tests else Push to main GH-->>W1: Trigger CodeQL GH-->>W3: Trigger tests end rect rgba(200,230,255,0.25) note over W1: CodeQL W1->>W1: actions/checkout@<sha> W1->>W1: init CodeQL (language: python) W1->>W1: analyze note over W1: permissions: contents/actions/security-events end rect rgba(200,255,200,0.25) note over W2: Dependency Review W2->>W2: actions/checkout@<sha> W2->>W2: dependency-review-action@<sha> note over W2: permissions: contents: read end rect rgba(255,245,200,0.25) note over W3: Tests W3->>W3: actions per existing config note over W3: permissions: contents: read (top-level & job) end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • sergiught

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title succinctly and accurately describes the primary change, which is hardening the GitHub Actions CI workflows, and follows conventional commit style without extraneous detail.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.
@rhamzeh rhamzeh added this pull request to the merge queue Oct 3, 2025
Merged via the queue into openfga:main with commit 5bdc932 Oct 3, 2025
8 of 9 checks passed
coderabbitai[bot]
coderabbitai bot reviewed Oct 3, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/main.yaml (1)

68-75: Publish job is missing contents: read; checkout will fail

Job-level permissions override defaults. With only id-token: write, actions/checkout lacks contents: read and will error. Add contents: read.

 publish: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') needs: [test] permissions: - id-token: write # Required for PyPI trusted publishing + contents: read # Required by actions/checkout + id-token: write # Required for PyPI trusted publishing

Optionally, remove the top-level permissions and define per-job permissions for tighter scope.

🧹 Nitpick comments (4)
.pre-commit-config.yaml (1)

1-5: Enable secret redaction and run in CI stages

Add gitleaks redact to avoid printing findings; optionally run on push to enforce in CI.

 repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.16.3 hooks: - - id: gitleaks + - id: gitleaks + args: ["--redact"] + stages: [commit, push]

Optional next: add basic hygiene hooks (trailing-whitespace, end-of-file-fixer, check-yaml) in a follow-up.

.github/workflows/dependency-review.yml (1)

21-22: Fail builds on actionable severities and surface PR feedback

Configure the action to fail on at least high severity and comment the summary in PRs.

- - name: 'Dependency Review' - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0 + with: + fail-on-severity: high + comment-summary-in-pr: true
.github/workflows/codeql.yml (2)

43-45: Align checkout version to v5 for consistency

main.yaml uses actions/checkout v5. Use the same here for consistency and Node20 baseline.

- - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

55-59: Autobuild not needed for Python

For Python-only repos, Autobuild is unnecessary. Safe to remove to trim runtime.

- - name: Autobuild - uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + # Autobuild is not required for Python; remove if not building compiled components.
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0ea1063 and 910a554.

📒 Files selected for processing (4)
  • .github/workflows/codeql.yml (1 hunks)
  • .github/workflows/dependency-review.yml (1 hunks)
  • .github/workflows/main.yaml (1 hunks)
  • .pre-commit-config.yaml (1 hunks)
🔇 Additional comments (1)
.github/workflows/main.yaml (1)

13-15: Top‑level least‑privilege default looks good

Setting contents: read by default is appropriate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@step-security-bot @rhamzeh