ci: harden GitHub Actions with pinned SHAs and tarball verification#79
ci: harden GitHub Actions with pinned SHAs and tarball verification#79SudiptaPaul-31 wants to merge 4 commits into
Conversation
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughCI workflows and shared setup actions now use immutable action revisions, minimal permissions, and checksum-verified Stellar CLI installation. Documentation records the hardening changes, resolved action references, validation results, expected workflow behavior, and readiness status. ChangesCI hardening
Estimated code review effort: 3 (Moderate) | ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/rustfmt.yml (1)
24-25: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPrevent credential persistence in checkout.
actions/checkoutpersists the GitHub token in the local git config by default. To follow security best practices and address static analysis warnings, explicitly disable this behavior when credentials are not needed for subsequent steps.
.github/workflows/rustfmt.yml#L24-L25: Addwith:andpersist-credentials: falseto the checkout step..github/workflows/verify-build.yml#L34-L35: Addwith:andpersist-credentials: falseto the checkout step.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/rustfmt.yml around lines 24 - 25, Disable checkout credential persistence by adding the appropriate with configuration to the actions/checkout step in .github/workflows/rustfmt.yml lines 24-25 and .github/workflows/verify-build.yml lines 34-35, setting persist-credentials to false in both locations.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/verify-build.yml:
- Around line 34-35: Replace the checkout action commit with the v4.1.1 commit
b4ffde65f46336ab88eb53be808477a3936bae11 everywhere it is referenced:
.github/workflows/verify-build.yml lines 34-35, .github/workflows/rustfmt.yml
lines 24-25, CI_HARDENING_SUMMARY.md lines 9-14, and CI_VALIDATION_REPORT.md
lines 5-6.
---
Nitpick comments:
In @.github/workflows/rustfmt.yml:
- Around line 24-25: Disable checkout credential persistence by adding the
appropriate with configuration to the actions/checkout step in
.github/workflows/rustfmt.yml lines 24-25 and .github/workflows/verify-build.yml
lines 34-35, setting persist-credentials to false in both locations.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 854179f5-2ceb-4a5f-9949-e29434cb6ed3
📒 Files selected for processing (5)
.github/actions/setup-rust-stellar/action.yml.github/workflows/rustfmt.yml.github/workflows/verify-build.ymlCI_HARDENING_SUMMARY.mdCI_VALIDATION_REPORT.md
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@ACTION_RESOLUTION.md`:
- Around line 43-49: Update the dtolnay/rust-toolchain entry in the “Valid SHAs
Used” table to remove the “(1.97.1)” suffix while retaining “stable,” unless the
workflow is explicitly changed to use a fixed Rust toolchain version. Ensure the
documentation accurately reflects the rolling toolchain configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fb8b883c-81c2-49e8-a2ba-3e42c9beb3f6
📒 Files selected for processing (6)
.github/actions/setup-rust-stellar/action.yml.github/workflows/rustfmt.yml.github/workflows/verify-build.ymlACTION_RESOLUTION.mdCI_HARDENING_SUMMARY.mdCI_VALIDATION_REPORT.md
🚧 Files skipped from review as they are similar to previous changes (5)
- CI_VALIDATION_REPORT.md
- .github/workflows/verify-build.yml
- .github/actions/setup-rust-stellar/action.yml
- .github/workflows/rustfmt.yml
- CI_HARDENING_SUMMARY.md
Summary
This PR hardens the GitHub Actions CI pipeline by pinning all third-party actions to immutable commit SHAs, removing unnecessary OIDC token permissions, and adding SHA-256 verification for the Stellar CLI download. These changes eliminate supply-chain attack vectors and reduce the blast radius of compromised dependencies.
Closes: #75
Changes
.github/workflows/rustfmt.ymlPurpose: Format validation workflow for Rust code
Changes:
id-token: writefrom permissions (now onlycontents: readandactions: read)actions/checkout@v2→actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c(v4.1.1)actions-rs/toolchain@v1→dtolnay/rust-toolchain@1482605baf623a1ba7bb69329c91659433264734(stable)Impact: Eliminates reliance on archived action, reduces permissions to minimum required, uses immutable action versions.
.github/workflows/verify-build.ymlPurpose: Build verification and testing workflow for contracts
Changes:
id-token: writefrom permissions (now onlycontents: readandactions: read)actions/checkout@v4→actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c(v4.1.1)Impact: Reduces OIDC token exposure, uses immutable action version. No changes to build/test logic.
.github/actions/setup-rust-stellar/action.ymlPurpose: Composite action that sets up Rust toolchain and Stellar CLI
Changes:
Swatinem/rust-cache@v2→Swatinem/rust-cache@23bce251a8cd2ffc3c1075eac063c4173a8a8848(v2.7.3)dtolnay/rust-toolchain@master→dtolnay/rust-toolchain@1482605baf623a1ba7bb69329c91659433264734(stable)stellar-cli-23.1.3-x86_64-unknown-linux-gnu.tar.gz2eb70d75d8f7da3ca9c1f6a69e5055f686cfc8f3ef8e7e06dd10a45e33d3476e/tmpfirst with--no-same-owner --no-same-permissionsflags/usr/local/bin/via sudoImpact: Eliminates tarball tampering risk, prevents file permission exploits, uses immutable action versions.
Security Benefits
Testing
Summary by CodeRabbit
Chores
Documentation