From 59adf49bdb53ec52478f5ba92aa19b34bc5d6388 Mon Sep 17 00:00:00 2001 From: RelunSec Date: Tue, 24 Mar 2026 05:25:57 -0700 Subject: [PATCH 1/5] Harden Github Actions --- .github/workflows/integration.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 0a89b94..717c3be 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -2,6 +2,10 @@ on: [push, pull_request] # yamllint disable-line rule:truthy name: Integration tests +permissions: + contents: read + jobs: integration-tests: uses: coreruleset/crs-plugin-test-action/.github/workflows/integration.yaml@738f25b8d5ee671dcc8ba76aa29365ffd690309a # v3.0.0 + secrets: inherit From 789cde8ed1b7f423cce7616356feb5f6fcdaf927 Mon Sep 17 00:00:00 2001 From: RelunSec Date: Tue, 24 Mar 2026 05:28:54 -0700 Subject: [PATCH 2/5] Harden Plugin Lint action --- .github/workflows/lint.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 936c9ad..50a6414 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,19 @@ ---- on: [push, pull_request] # yamllint disable-line rule:truthy +name: Plugin lint + +permissions: + contents: read # restrict repo access + actions: none # no workflow modification + checks: none + deployments: none + issues: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none jobs: plugin-lint: - uses: coreruleset/crs-plugin-test-action/.github/workflows/lint.yaml@main + uses: coreruleset/crs-plugin-test-action/.github/workflows/lint.yaml@7e1ee6d07105ae3cb6eec95e45acb5e1a895e3d4 # pinned SHA for v3.0.0 + secrets: inherit From 0865a6882aae1848684800ac430138f333bef4fa Mon Sep 17 00:00:00 2001 From: RelunSec Date: Tue, 24 Mar 2026 05:31:27 -0700 Subject: [PATCH 3/5] Removed other permissions --- .github/workflows/lint.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 50a6414..c8e768b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -3,15 +3,6 @@ name: Plugin lint permissions: contents: read # restrict repo access - actions: none # no workflow modification - checks: none - deployments: none - issues: none - packages: none - pull-requests: none - repository-projects: none - security-events: none - statuses: none jobs: plugin-lint: From 63c13dcc205d31db903f06b652ae799e44dcb867 Mon Sep 17 00:00:00 2001 From: RelunSec Date: Tue, 24 Mar 2026 05:32:05 -0700 Subject: [PATCH 4/5] Removed secrets inherit --- .github/workflows/integration.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 717c3be..03bca75 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -8,4 +8,3 @@ permissions: jobs: integration-tests: uses: coreruleset/crs-plugin-test-action/.github/workflows/integration.yaml@738f25b8d5ee671dcc8ba76aa29365ffd690309a # v3.0.0 - secrets: inherit From ed9758d19c87af90989f063d9c78a95225cb259d Mon Sep 17 00:00:00 2001 From: RelunSec Date: Tue, 24 Mar 2026 05:32:31 -0700 Subject: [PATCH 5/5] Remove secrets inherit --- .github/workflows/lint.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c8e768b..9d54f38 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,4 +7,3 @@ permissions: jobs: plugin-lint: uses: coreruleset/crs-plugin-test-action/.github/workflows/lint.yaml@7e1ee6d07105ae3cb6eec95e45acb5e1a895e3d4 # pinned SHA for v3.0.0 - secrets: inherit