Security hardening for GH actions workflows - Githubissues

rism-digital / verovio

🎵 Music notation engraving library for MEI with MusicXML and Humdrum support and various toolkits (JavaScript, Python)

https://www.verovio.org

GNU Lesser General Public License v3.0

683 stars 185 forks source link

Security hardening for GH actions workflows #3671

Open musicEnfanthen opened 6 months ago

musicEnfanthen commented 6 months ago

To harden the security of the GitHub action workflow runners, there are multiple steps to consider:

[ ] pin actions to a full length commit SHA (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
[ ] should be combined with automatic updates, e.g. with Dependabot (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-dependabot-version-updates-to-keep-actions-up-to-date)
[ ] restrict token permissions to minimum needed (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens)

musicEnfanthen commented 6 months ago

Just leaving this here for future reference.

lpugin commented 2 months ago

@musicEnfanthen I re-formatted you initial comment. Please double check that it is three points and not two