Skip to content

security: SHA-pin all Actions + least-privilege workflow permissions (PER-8604, PER-8608)#2278

Open
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8604-8608-ci-hardening
Open

security: SHA-pin all Actions + least-privilege workflow permissions (PER-8604, PER-8608)#2278
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8604-8608-ci-hardening

Conversation

@Shivanshu-07

@Shivanshu-07 Shivanshu-07 commented Jun 12, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

First of several focused percy-cli security PRs. Covers the two High-severity CI/CD hardening findings (deadline 2026-06-16) and tightens the surface for PER-8610.

Ticket CWE Finding
PER-8608 CWE-829 Third-party actions pinned to mutable tags
PER-8604 CWE-732 Workflows missing permissions block (write-all GITHUB_TOKEN)

Changes

PER-8608 — SHA-pin everything: every uses: across all 11 workflows is now pinned to an immutable 40-char commit SHA (version tag preserved in a trailing comment). Pinned actions: checkout, setup-node, cache, upload-artifact, download-artifact, stale, github-script, action-regex-match, pull-request-comment-branch, gha-jobid-action, winterjung/split, trigger-workflow-and-wait, create-pull-request. (softprops/action-gh-release and the Semgrep checkout/codeql were already pinned.)

PER-8604 — least privilege: top-level permissions: contents: read on every workflow, with minimal job-level grants only where needed:

  • executable.yml (build, notify) → contents: write (upload release assets)
  • stale.ymlissues: write, pull-requests: write
  • sdk-regression.ymlstatuses: write + pull-requests: read

Re PER-8610 (issue_comment exposes token): sdk-regression.yml already gates execution on an author-permission check (only write/admin collaborators), so the trigger isn't open to arbitrary commenters; the least-privilege block here further limits what that flow's token can do.

Verification

  • All 11 workflow YAMLs parse; zero unpinned uses:; every workflow declares permissions:.
  • Action SHAs resolved live from each action's tag ref (major versions preserved; stale v6→v9 to a maintained release).

Closes PER-8604, PER-8608. Hardens PER-8610.

Remaining percy-cli findings will follow as separate focused PRs: SSRF (8614/8616), ReDoS (8615), log redaction (8609), eval/CDP injection (8607/8613), chromium integrity (8605), release-secret handling (8611/8612), and the local-server auth/CORS set (8600–8603 + chains 8626/8627).

🤖 Generated with Claude Code

@Shivanshu-07 @claude
security: SHA-pin all GitHub Actions + add least-privilege permission…
044a91d 
…s (PER-8604, PER-8608)

PER-8608 (CWE-829) — every third-party action across all 11 workflows was
pinned to a mutable tag, allowing a hijacked/retagged action to inject code
into CI (which handles signing keys and publish tokens). Pin every `uses:` to
an immutable 40-char commit SHA (tag preserved in a trailing comment):
checkout, setup-node, cache, upload-artifact, download-artifact, stale,
github-script, action-regex-match, pull-request-comment-branch,
gha-jobid-action, winterjung/split, trigger-workflow-and-wait,
create-pull-request.

PER-8604 (CWE-732) — workflows ran with the implicit write-all GITHUB_TOKEN.
Add a top-level `permissions: contents: read` to every workflow and minimal
job-level grants only where required:
  - executable.yml (build, notify): contents: write — upload release assets
  - stale.yml: issues: write, pull-requests: write
  - sdk-regression.yml: statuses: write + pull-requests: read

Also re PER-8610: sdk-regression.yml is issue_comment-triggered but already
gates execution on an author-permission check (write/admin collaborators only);
the least-privilege block above further limits the token exposed to that flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Shivanshu-07 Shivanshu-07 requested a review from a team as a code owner June 12, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prklm10 prklm10 Awaiting requested review from prklm10 prklm10 is a code owner automatically assigned from percy/percy-product-reviewers

@pranavz28 pranavz28 Awaiting requested review from pranavz28 pranavz28 is a code owner automatically assigned from percy/percy-product-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shivanshu-07