Skip to content

chore(ci): Harden GitHub Actions#132

Merged
rhamzeh merged 1 commit intoopenfga:mainfrom
step-security-bot:chore/GHA-031325-stepsecurity-remediation
Oct 3, 2025
Merged

chore(ci): Harden GitHub Actions#132
rhamzeh merged 1 commit intoopenfga:mainfrom
step-security-bot:chore/GHA-031325-stepsecurity-remediation

Conversation

@step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Oct 3, 2025
edited by coderabbitai bot
Loading

Summary

This pull request is created by StepSecurity at the request of @rhamzeh. Please merge the Pull Request to incorporate the requested changes. Please tag @rhamzeh on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

Summary by CodeRabbit

  • Chores
    • Hardened CI security by pinning third-party actions to exact commit SHAs.
    • Updated Code Scanning workflow permissions to follow least-privilege (read for contents; write for security events during analysis).
    • Maintained existing workflow behavior with no impact to user-facing functionality.

@step-security-bot
chore(ci): Harden GitHub Actions
f905284 
Signed-off-by: StepSecurity Bot <[email protected]>
@step-security-bot step-security-bot requested a review from a team as a code owner October 3, 2025 13:25
@coderabbitai
Copy link

coderabbitai bot commented Oct 3, 2025
edited
Loading

Walkthrough

Updated the CodeQL GitHub Actions workflow to add explicit permissions and pin actions to specific commit SHAs while keeping the overall job structure unchanged.

Changes

Cohort / File(s) Summary
GitHub Actions workflow hardening
`.github/workflows/codeql.yml`		 Added top-level permissions: contents: read. Added per-job permissions for analyze: security-events: write. Pinned actions to exact commit SHAs for actions/checkout, github/codeql-action/init, and github/codeql-action/analyze. No structural job changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title “chore(ci): Harden GitHub Actions” concisely and accurately reflects the primary change of the pull request, which is applying security hardening to the CI workflows by setting least-privileged permissions and pinning action SHAs; it uses a clear conventional commit format and directly conveys the main intent without unnecessary detail.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65a38bc and f905284.

📒 Files selected for processing (1)
  • .github/workflows/codeql.yml (3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: Test net8.0 on windows-latest
  • GitHub Check: Test net8.0 on macos-latest
  • GitHub Check: Test net9.0 on ubuntu-latest
  • GitHub Check: Test net8.0 on ubuntu-latest
  • GitHub Check: Test netcoreapp3.1 on windows-latest
  • GitHub Check: Test net6.0 on ubuntu-latest
  • GitHub Check: Test net48 on windows-latest
  • GitHub Check: Build Verification
  • GitHub Check: Analyze (csharp)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rhamzeh rhamzeh added this pull request to the merge queue Oct 3, 2025
Merged via the queue into openfga:main with commit 87f70b1 Oct 3, 2025
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhamzeh rhamzeh rhamzeh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@step-security-bot @rhamzeh

Comments