ci: harden GHA workflows with least-privilege permissions, concurrency, and action updates#72
Merged
Merged
Conversation
…y, and action updates ## What/Why Apply GHA security and operational standards across all 9 workflows: least-privilege permissions, proper concurrency groups, SHA-pinned actions, harden-runner coverage, and .yaml extension consistency. ## Proof it works actionlint passes with zero errors on all 9 workflow files. ## Risk + AI role low -- CI-only changes, no application code affected. Fully AI-generated (Claude Opus 4.6). actions/checkout v6->v7 is the largest change; v7 blocks fork PR checkouts on pull_request_target and workflow_run triggers, which does not affect these workflows. ## Review focus - actions/checkout v7 upgrade: confirm no workflow relies on checking out fork PR code via workflow_run - concurrency groups: verify cancel-in-progress conditions match each workflow's trigger mix Signed-off-by: jmeridth <jmeridth@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions workflows by applying least-privilege GITHUB_TOKEN permissions, adding/adjusting workflow concurrency, and updating actions to SHA-pinned versions (notably upgrading actions/checkout to v7).
Changes:
- Set workflow-level
permissions: {}and add explicit job-level permission grants with comments. - Add/standardize
concurrencysettings to reduce duplicate work and manage cancellation behavior. - Update actions (e.g.,
actions/checkout) to newer, SHA-pinned revisions and expand harden-runner coverage.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/stale.yaml | Tightens default token permissions and documents job-level grants for stale automation. |
| .github/workflows/security-insights.yaml | Adds least-privilege permissions + concurrency, updates checkout to v7 SHA. |
| .github/workflows/pr-title.yaml | Adds least-privilege permissions + concurrency for PR title lint reusable workflow. |
| .github/workflows/osps-security-assessment.yaml | Adds harden-runner + least-privilege permissions, updates actions to SHA-pinned versions. |
| .github/workflows/markdownlint.yaml | Adds least-privilege permissions + concurrency, updates checkout to v7 SHA. |
| .github/workflows/mark-ready-when-ready.yaml | Adds least-privilege permissions and adjusts concurrency for PR “mark ready” automation. |
| .github/workflows/htmltest.yaml | Adds least-privilege permissions + concurrency, updates checkout to v7 SHA. |
| .github/workflows/gh-pages.yaml | Tightens default permissions and updates checkout to v7 SHA; adjusts concurrency cancellation behavior for deploys. |
| .github/workflows/auto-labeler.yaml | Adds least-privilege permissions + concurrency for PR auto-labeling reusable workflow. |
Comments suppressed due to low confidence (4)
.github/workflows/mark-ready-when-ready.yaml:11
- Using
github.head_refin the concurrency group can cause unrelated PR runs to cancel each other when different PRs share the same source branch name (common across forks likepatch-1). Usinggithub.refkeeps PR groups unique (refs/pull/<n>/merge) while still grouping push runs by branch.
.github/workflows/markdownlint.yaml:19 - For
pull_requestevents,github.head_refis not unique across forks/PRs, so this concurrency key can unintentionally cancel runs from other PRs that share the same branch name. Usinggithub.refprovides a unique per-PR ref (refs/pull/<n>/merge) while keeping push runs grouped by branch.
.github/workflows/security-insights.yaml:19 github.head_refcan collide across unrelated PRs with the same branch name (common in forks), which may cancel the wrong validation run. Prefergithub.refto keep concurrency groups unique for PRs and stable for pushes.
.github/workflows/htmltest.yaml:17- This workflow runs on
pull_request, and usinggithub.head_refin the concurrency key can cause collisions across different PRs that share the same source branch name (especially from forks). Usinggithub.refgives a unique PR ref and avoids unintended cancellations.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What/Why
Apply GHA security and operational standards across all 9 workflows: least-privilege permissions (
permissions: {}at workflow level, explicit job-level grants with comments), proper concurrency groups (github.head_ref || github.ref), SHA-pinned actions, harden-runner coverage, and.yamlextension consistency.Proof it works
actionlintpasses with zero errors on all 9 workflow files.Risk + AI role
low -- CI-only changes, no application code affected. AI-generated (Claude Opus 4.6).
actions/checkoutv6 to v7 is the largest change; v7 blocks fork PR checkouts onpull_request_targetandworkflow_runtriggers, which does not affect these workflows.Review focus
actions/checkoutv7 upgrade: confirm no workflow relies on checking out fork PR code viaworkflow_runcancel-in-progressconditions match each workflow's trigger mix