From cf536a91e2b3bdb20c6ad9efcd4e07eebdbaf555 Mon Sep 17 00:00:00 2001 From: Boyan Velinov Date: Tue, 26 May 2026 13:52:24 +0300 Subject: [PATCH 1/2] Harden GitHub workflows to least-privilege read-only permissions --- .github/workflows/check-commit-message.yml | 4 ++++ .github/workflows/codeql.yml | 2 ++ .github/workflows/pull-request-build.yml | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/check-commit-message.yml b/.github/workflows/check-commit-message.yml index 5e283a3..b6a5b2c 100644 --- a/.github/workflows/check-commit-message.yml +++ b/.github/workflows/check-commit-message.yml @@ -4,10 +4,14 @@ on: pull_request: types: [synchronize, opened] +permissions: {} + jobs: check_commit_message: name: Check Commit Message runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - name: Check Commit Message diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bb10470..b2a5e9a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,8 @@ on: schedule: - cron: '30 10 * * 4' +permissions: {} + jobs: analyze: name: Analyze diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index 87d2eaf..d7bf658 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -4,9 +4,13 @@ on: pull_request: branches: [ master ] +permissions: {} + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v3 From e9c9c0160fa81e7249bf2e33ede939a4b259ed91 Mon Sep 17 00:00:00 2001 From: Boyan Velinov Date: Wed, 27 May 2026 18:34:44 +0300 Subject: [PATCH 2/2] Harden github workflows Jira: LMCROSSITXSADEPLOY-3520 --- .github/workflows/check-commit-message.yml | 2 +- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/pull-request-build.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check-commit-message.yml b/.github/workflows/check-commit-message.yml index b6a5b2c..32bad8f 100644 --- a/.github/workflows/check-commit-message.yml +++ b/.github/workflows/check-commit-message.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Check Commit Message id: commits - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 with: script: | const prNumber = context.payload.pull_request.number; diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b2a5e9a..9339cd0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -33,18 +33,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/pull-request-build.yml b/.github/workflows/pull-request-build.yml index d7bf658..36cf43b 100644 --- a/.github/workflows/pull-request-build.yml +++ b/.github/workflows/pull-request-build.yml @@ -12,10 +12,10 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3 with: go-version: '1.24'