Skip to content

ci: harden GitHub Actions with pinned SHAs and tarball verification#79

Open
SudiptaPaul-31 wants to merge 4 commits into
boundlessfi:testnetfrom
SudiptaPaul-31:feature/ci-hardening
Open

ci: harden GitHub Actions with pinned SHAs and tarball verification#79
SudiptaPaul-31 wants to merge 4 commits into
boundlessfi:testnetfrom
SudiptaPaul-31:feature/ci-hardening

Conversation

@SudiptaPaul-31

@SudiptaPaul-31 SudiptaPaul-31 commented Jul 17, 2026

Copy link
Copy Markdown

Summary

This PR hardens the GitHub Actions CI pipeline by pinning all third-party actions to immutable commit SHAs, removing unnecessary OIDC token permissions, and adding SHA-256 verification for the Stellar CLI download. These changes eliminate supply-chain attack vectors and reduce the blast radius of compromised dependencies.

Closes: #75

  • Unpinned GitHub Actions allow supply-chain hijack (HIGH)
  • Unpinned GitHub Actions allow supply-chain takeover (MEDIUM)
  • Unsigned CLI tarball download and extraction (HIGH)
  • Unneeded/Unnecessary OIDC token permission (LOW ×2)
  • Third-party action not pinned to commit SHA (LOW)

Changes

.github/workflows/rustfmt.yml

Purpose: Format validation workflow for Rust code

Changes:

  • Removed id-token: write from permissions (now only contents: read and actions: read)
  • Pinned actions/checkout@v2actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c (v4.1.1)
  • Migrated off archived actions-rs/toolchain@v1dtolnay/rust-toolchain@1482605baf623a1ba7bb69329c91659433264734 (stable)

Impact: Eliminates reliance on archived action, reduces permissions to minimum required, uses immutable action versions.


.github/workflows/verify-build.yml

Purpose: Build verification and testing workflow for contracts

Changes:

  • Removed id-token: write from permissions (now only contents: read and actions: read)
  • Pinned actions/checkout@v4actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c (v4.1.1)

Impact: Reduces OIDC token exposure, uses immutable action version. No changes to build/test logic.


.github/actions/setup-rust-stellar/action.yml

Purpose: Composite action that sets up Rust toolchain and Stellar CLI

Changes:

  • Pinned Swatinem/rust-cache@v2Swatinem/rust-cache@23bce251a8cd2ffc3c1075eac063c4173a8a8848 (v2.7.3)
  • Pinned dtolnay/rust-toolchain@masterdtolnay/rust-toolchain@1482605baf623a1ba7bb69329c91659433264734 (stable)
  • Added SHA-256 verification for stellar-cli tarball:
    • Downloads stellar-cli-23.1.3-x86_64-unknown-linux-gnu.tar.gz
    • Verifies checksum: 2eb70d75d8f7da3ca9c1f6a69e5055f686cfc8f3ef8e7e06dd10a45e33d3476e
    • Fails with error if checksum doesn't match
  • Hardened tar extraction:
    • Extracts to /tmp first with --no-same-owner --no-same-permissions flags
    • Moves binary to /usr/local/bin/ via sudo
    • Prevents privilege escalation and permission-based attacks

Impact: Eliminates tarball tampering risk, prevents file permission exploits, uses immutable action versions.


Security Benefits

Vulnerability Status
Supply-chain hijack via unpinned actions ✅ Fixed
Archived/unmaintained actions ✅ Fixed
Unsigned/unverified dependencies ✅ Fixed
Unnecessary OIDC permissions ✅ Fixed
File permission escalation ✅ Fixed

Testing

  • ✅ All workflows maintain existing functionality
  • ✅ Build commands unchanged (no impact on build output)
  • ✅ Test commands unchanged (no impact on test results)
  • ✅ Format checking unchanged
  • ✅ WASM size checks unchanged
  • ✅ YAML syntax validated
  • ✅ All action SHAs verified to valid GitHub Actions commits

Summary by CodeRabbit

  • Chores

    • CI tooling and actions are now pinned to fixed revisions for consistent, reproducible runs.
    • Reduced workflow permissions and disabled credential persistence during checkout.
    • Downloaded Stellar CLI is now checksum-verified before installation, with safer extraction and installation steps.
  • Documentation

    • Added CI security-hardening and validation reporting documents describing the new integrity checks and configuration verification.
    • Added an action resolution note for prior commit SHA issues and their fixes.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@SudiptaPaul-31, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c556bad-fd59-414d-b72c-d05b03813b4a

📥 Commits

Reviewing files that changed from the base of the PR and between f498914 and 8458e7e.

📒 Files selected for processing (1)
  • ACTION_RESOLUTION.md
📝 Walkthrough

Walkthrough

CI workflows and shared setup actions now use immutable action revisions, minimal permissions, and checksum-verified Stellar CLI installation. Documentation records the hardening changes, resolved action references, validation results, expected workflow behavior, and readiness status.

Changes

CI hardening

Layer / File(s) Summary
Harden shared Rust and Stellar setup
.github/actions/setup-rust-stellar/action.yml
Pins Rust setup actions and verifies, safely extracts, installs, and reports the version of the Stellar CLI.
Harden workflow actions and permissions
.github/workflows/rustfmt.yml, .github/workflows/verify-build.yml
Pins checkout and Rust toolchain actions, disables persisted checkout credentials, and removes unnecessary id-token: write permissions.
Record hardening and validation results
ACTION_RESOLUTION.md, CI_HARDENING_SUMMARY.md, CI_VALIDATION_REPORT.md
Documents corrected action SHAs, security changes, validation claims, expected workflow behavior, and readiness status.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

I’m a rabbit with a checksum bright,
Pinning actions snug and tight.
Tarballs checked before they land,
Permissions trimmed by careful hand.
CI hops safely through the night.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: CI hardening via pinned SHAs and Stellar tarball verification.
Linked Issues check ✅ Passed The workflows and composite action match issue #75: pinned SHAs, removed id-token write, and verified the Stellar tarball.
Out of Scope Changes check ✅ Passed The added markdown files document and validate the CI hardening work and do not introduce unrelated behavior.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/rustfmt.yml (1)

24-25: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Prevent credential persistence in checkout.

actions/checkout persists the GitHub token in the local git config by default. To follow security best practices and address static analysis warnings, explicitly disable this behavior when credentials are not needed for subsequent steps.

  • .github/workflows/rustfmt.yml#L24-L25: Add with: and persist-credentials: false to the checkout step.
  • .github/workflows/verify-build.yml#L34-L35: Add with: and persist-credentials: false to the checkout step.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rustfmt.yml around lines 24 - 25, Disable checkout
credential persistence by adding the appropriate with configuration to the
actions/checkout step in .github/workflows/rustfmt.yml lines 24-25 and
.github/workflows/verify-build.yml lines 34-35, setting persist-credentials to
false in both locations.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/verify-build.yml:
- Around line 34-35: Replace the checkout action commit with the v4.1.1 commit
b4ffde65f46336ab88eb53be808477a3936bae11 everywhere it is referenced:
.github/workflows/verify-build.yml lines 34-35, .github/workflows/rustfmt.yml
lines 24-25, CI_HARDENING_SUMMARY.md lines 9-14, and CI_VALIDATION_REPORT.md
lines 5-6.

---

Nitpick comments:
In @.github/workflows/rustfmt.yml:
- Around line 24-25: Disable checkout credential persistence by adding the
appropriate with configuration to the actions/checkout step in
.github/workflows/rustfmt.yml lines 24-25 and .github/workflows/verify-build.yml
lines 34-35, setting persist-credentials to false in both locations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 854179f5-2ceb-4a5f-9949-e29434cb6ed3

📥 Commits

Reviewing files that changed from the base of the PR and between e1f1793 and 6f446f6.

📒 Files selected for processing (5)
  • .github/actions/setup-rust-stellar/action.yml
  • .github/workflows/rustfmt.yml
  • .github/workflows/verify-build.yml
  • CI_HARDENING_SUMMARY.md
  • CI_VALIDATION_REPORT.md

Comment thread .github/workflows/verify-build.yml Outdated
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 17, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ACTION_RESOLUTION.md`:
- Around line 43-49: Update the dtolnay/rust-toolchain entry in the “Valid SHAs
Used” table to remove the “(1.97.1)” suffix while retaining “stable,” unless the
workflow is explicitly changed to use a fixed Rust toolchain version. Ensure the
documentation accurately reflects the rolling toolchain configuration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fb8b883c-81c2-49e8-a2ba-3e42c9beb3f6

📥 Commits

Reviewing files that changed from the base of the PR and between 6f446f6 and f498914.

📒 Files selected for processing (6)
  • .github/actions/setup-rust-stellar/action.yml
  • .github/workflows/rustfmt.yml
  • .github/workflows/verify-build.yml
  • ACTION_RESOLUTION.md
  • CI_HARDENING_SUMMARY.md
  • CI_VALIDATION_REPORT.md
🚧 Files skipped from review as they are similar to previous changes (5)
  • CI_VALIDATION_REPORT.md
  • .github/workflows/verify-build.yml
  • .github/actions/setup-rust-stellar/action.yml
  • .github/workflows/rustfmt.yml
  • CI_HARDENING_SUMMARY.md

Comment thread ACTION_RESOLUTION.md
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI hardening: pin actions to SHAs, drop unused id-token: write, verify stellar-cli tarball

1 participant