From 20f38cc4de84f2e83ec00b867dd2f179cdb6c194 Mon Sep 17 00:00:00 2001
From: Anton Gilgur <agilgur5@gmail.com>
Date: Sun, 6 Apr 2025 14:40:19 -0400
Subject: [PATCH] ci: pin actions & limit token permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- following the [`tj-actions` supply chain attack](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised), figured I should harden some of my small repos too

- follow [OpenSSF Scorecard best practices](https://github.com/ossf/scorecard/blob/43d5832d25ccc597a9b94926b6ad43da25204085/docs/checks.md)
  - specifically "Pinned Dependencies" and "Token Permissions"

- In the future, may add [`falco-actions`](https://github.com/falcosecurity/falco-actions) etc for anomaly detection
  - see also https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/
  - based off OSS Falco, more powerful than and without restrictions unlike [`harden-runner`](https://github.com/step-security/harden-runner), although it doesn't have proactive egress blocking via an allowlist as `harden-runner` does 😕
  - right now, adding those actions could arguably add _more_ surface area given the small usage of the current actions (could be a premature optimization rn)

Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/ci.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 18a22d5..129b642 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,9 @@
 name: CI
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   ci:
     name: CI - Node ${{ matrix.node-version }}, ${{ matrix.os }}
@@ -12,9 +16,9 @@ jobs:
 
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Setup Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'
@@ -31,4 +35,4 @@ jobs:
     - name: Test w/ coverage report
       run: npm run test:coverage
     - name: Upload coverage report to Codecov
-      uses: codecov/codecov-action@v5
+      uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0