Security hardening for GH actions workflows - Githubissues

rism-digital / verovio

🎵 Music notation engraving library for MEI with MusicXML and Humdrum support and various toolkits (JavaScript, Python)

https://www.verovio.org

GNU Lesser General Public License v3.0

643 stars 176 forks source link

Security hardening for GH actions workflows #3671

Open musicEnfanthen opened 1 month ago

musicEnfanthen commented 1 month ago

To harden the security of the GitHub action workflow runners, there are multiple steps to consider:

[ ] pin actions to a full length commit SHA (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)

should be combined with automatic updates, e.g. with Dependabot (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-dependabot-version-updates-to-keep-actions-up-to-date)

[ ] restrict token permissions to minimum needed (https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#restricting-permissions-for-tokens)

musicEnfanthen commented 1 month ago

Just leaving this here for future reference.