From 1db90df844239bebd8a37bdc12d853d8ad189d41 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 5 Mar 2026 08:11:13 +0000 Subject: [PATCH 1/2] Harden GitHub Actions workflow security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add `permissions: read-all` at the workflow level to restrict the GITHUB_TOKEN to read-only by default for all jobs - Add `permissions: contents: read` on the publish job as the only explicitly needed permission (PyPI upload uses secrets, not GITHUB_TOKEN) - Flag the two @master-pinned reusable workflows (python3_sdist_workflow.yml and failure_notify_workflow.yml) with SECURITY NOTEs explaining the risk; Drakkar-Software/.github has no version tags yet so the @master refs cannot be replaced with a tag at this time — the comments document the remediation path No functional changes to existing version tags or workflow logic. https://claude.ai/code/session_01CHRbcdCqJVRaXuhD7v2Chg --- .github/workflows/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9bbc868..3e94eb8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,10 @@ on: - '*' pull_request: +# Restrict the GITHUB_TOKEN to read-only by default for all jobs. +# Individual jobs that require write access should declare it explicitly. +permissions: read-all + jobs: lint: name: ${{ matrix.os }}${{ matrix.arch }} - Python ${{ matrix.version }} - lint @@ -59,6 +63,12 @@ jobs: publish: needs: tests if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') + permissions: + contents: read # minimum needed to check out source for sdist build + # SECURITY NOTE: pinning to @master is unsafe because a force-push to that branch + # can silently change the workflow code that runs with repo secrets. + # Drakkar-Software/.github currently has no version tags; once a tag (e.g. @v1) is + # published, replace @master below with that tag. uses: Drakkar-Software/.github/.github/workflows/python3_sdist_workflow.yml@master secrets: PYPI_OFFICIAL_UPLOAD_URL: ${{ secrets.PYPI_OFFICIAL_UPLOAD_URL }} @@ -71,6 +81,8 @@ jobs: - lint - tests - publish + # SECURITY NOTE: same @master pinning concern as the publish job above. + # Replace with a version tag once one is available in Drakkar-Software/.github. uses: Drakkar-Software/.github/.github/workflows/failure_notify_workflow.yml@master secrets: DISCORD_GITHUB_WEBHOOK: ${{ secrets.DISCORD_GITHUB_WEBHOOK }} From 7cd356287c7af73b585dec0c4a8af67b16c80c65 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 5 Mar 2026 08:13:56 +0000 Subject: [PATCH 2/2] Remove SECURITY NOTE comments from workflow Keep the permission hardening but drop the verbose comment blocks per user request. https://claude.ai/code/session_01CHRbcdCqJVRaXuhD7v2Chg --- .github/workflows/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3e94eb8..e255680 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -65,10 +65,6 @@ jobs: if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') permissions: contents: read # minimum needed to check out source for sdist build - # SECURITY NOTE: pinning to @master is unsafe because a force-push to that branch - # can silently change the workflow code that runs with repo secrets. - # Drakkar-Software/.github currently has no version tags; once a tag (e.g. @v1) is - # published, replace @master below with that tag. uses: Drakkar-Software/.github/.github/workflows/python3_sdist_workflow.yml@master secrets: PYPI_OFFICIAL_UPLOAD_URL: ${{ secrets.PYPI_OFFICIAL_UPLOAD_URL }} @@ -81,8 +77,6 @@ jobs: - lint - tests - publish - # SECURITY NOTE: same @master pinning concern as the publish job above. - # Replace with a version tag once one is available in Drakkar-Software/.github. uses: Drakkar-Software/.github/.github/workflows/failure_notify_workflow.yml@master secrets: DISCORD_GITHUB_WEBHOOK: ${{ secrets.DISCORD_GITHUB_WEBHOOK }}