Skip to content

Apply GitHub Actions security best practices#231

Closed
stepsecurity-app[bot] wants to merge 1 commit into
mainfrom
chore/GHA-142321-stepsecurity-remediation
Closed

Apply GitHub Actions security best practices#231
stepsecurity-app[bot] wants to merge 1 commit into
mainfrom
chore/GHA-142321-stepsecurity-remediation

Conversation

@stepsecurity-app

Copy link
Copy Markdown

Summary

This pull request has been generated by StepSecurity to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.

Security Fixes

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates.

Keeping your actions up to date with Dependabot

With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Runner Label Replacement

Runner labels define where GitHub Actions workflows execute. Replacing runner labels allows you to migrate workflows from one runner environment to another, such as moving from GitHub-hosted runners to self-hosted runners or vice versa.

This control automatically updates runner labels across your workflows based on the configured label mapping, ensuring consistent runner usage across your repository.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@whymarrh

Copy link
Copy Markdown

Closing to re-create

@whymarrh whymarrh closed this Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant