undercover-cactus
|
4631a9947a
|
move publish action from workflow template to a local action
|
2026-02-12 09:06:21 +01:00 |
|
Steve Degosserie
|
746fce9328
|
security: 🛡️ Harden GitHub Actions workflows (#349)
## Summary
This PR addresses several security vulnerabilities and applies hardening
measures to the GitHub Actions workflows:
- **Replace `secrets: inherit` with explicit secret passing** - Prevents
unnecessary exposure of all repository secrets to called workflows
- **Add SHA256 checksum verification for downloaded binaries** -
Protects against supply chain attacks via compromised upstream releases
- **Add GitHub Environment protections for release workflows** -
Requires approval before publishing to Docker Hub or creating releases
- **Add explicit minimal permissions to all workflows** - Follows
principle of least privilege, removes unnecessary `packages: write` from
CI.yml
## Changes by Category
### 1. Explicit Secret Passing
| Workflow | Before | After |
|----------|--------|-------|
| CI.yml → docker-build-ci | `secrets: inherit` | No secrets
(GITHUB_TOKEN is automatic) |
| CI.yml → docker-build-release | `secrets: inherit` | Explicit
`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` |
| CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is
automatic) |
### 2. Binary Checksum Verification
| Workflow | Binary | SHA256 |
|----------|--------|--------|
| task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` |
| task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` |
### 3. Environment Protections
| Workflow | Job | Environment |
|----------|-----|-------------|
| task-docker-release.yml | build-test-push | `production` |
| task-publish-binary.yml | publish-draft-release | `releases` |
| task-publish-binary.yml | docker-release-candidate | `production` |
| task-publish-runtime.yml | publish-draft-release | `releases` |
### 4. Explicit Permissions
All 14 workflow files now have explicit `permissions:` blocks with
minimal required access.
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
|
2025-12-12 09:52:50 +00:00 |
|
Steve Degosserie
|
51ffcae5f0
|
Revert "feat: statically build binary (#292)" (#330)
This reverts commit f84b6debb7.
|
2025-12-02 15:42:43 +01:00 |
|
Steve Degosserie
|
e38843455b
|
fix: 🔨 Disable static binary build for now (#328)
|
2025-12-02 14:53:05 +01:00 |
|
undercover-cactus
|
f84b6debb7
|
feat: statically build binary (#292)
Co-authored-by: Gonza Montiel <gonzamontiel@users.noreply.github.com>
|
2025-11-28 13:38:05 +00:00 |
|
Steve Degosserie
|
ba1cc63cb0
|
fix: 🔨 Run publish binary task on ephemeral runner (#307)
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
|
2025-11-22 15:54:49 +01:00 |
|
Steve Degosserie
|
b5bc2de11e
|
fix: 🔧 Fix incorrect args in release Docker image publishing workflow (#256)
|
2025-10-27 15:13:14 +02:00 |
|
Steve Degosserie
|
696a716ff8
|
fix: Use DH self-hosted runners for the Publish Draft Binary gh action (#183)
|
2025-09-23 00:05:06 +02:00 |
|
Steve Degosserie
|
34488aab25
|
fix: Use DH self-hosted runners for the Publish Draft Binary gh action (#182)
|
2025-09-22 22:06:39 +02:00 |
|
Steve Degosserie
|
72f8963fdf
|
fix: 🔧 Temporarily disable Skylake & Zenv3 binaries on client release (#179)
Temporarily disable Skylake & Zenv3 binaries when publishing a client
release
|
2025-09-18 16:14:38 +02:00 |
|
Steve Degosserie
|
5c2fe2a7a1
|
fix: Fix publish binary gh action (#177)
|
2025-09-18 08:04:54 +02:00 |
|
Steve Degosserie
|
5b55659bba
|
fix: Fix publish binary gh action (#176)
|
2025-09-18 07:46:33 +02:00 |
|
Steve Degosserie
|
a2b385889f
|
fix: Fix publish binary gh action (#175)
|
2025-09-18 07:39:04 +02:00 |
|