From 46b53c6aab8998895c4e6108a5207b38d8f20148 Mon Sep 17 00:00:00 2001 From: Oluwapelumi Oluwaseyi Date: Thu, 21 May 2026 09:57:44 +0200 Subject: [PATCH 1/5] fix: add least-privilege permissions to workflows Resolve the actions/missing-workflow-permissions code-scanning warnings by adding explicit permission blocks to each workflow. - cla.yml: pull-requests/statuses write for the CLA bot, actions:write so it can re-trigger itself; signatures repo is written via the PERSONAL_ACCESS_TOKEN, not GITHUB_TOKEN. - conventional-commit-check.yml: pull-requests:read is enough for amannn/action-semantic-pull-request to read the title. - deployment.yml: contents:read for checkout, pull-requests:write for the PR-URL comment job. - lint.yml, safe-apps-check.yml: contents:read. - safe-apps-e2e.yml: actions:write for styfle/cancel-workflow-action, contents:read for checkout. --- .github/workflows/cla.yml | 6 ++++++ .github/workflows/conventional-commit-check.yml | 3 +++ .github/workflows/deployment.yml | 5 +++++ .github/workflows/lint.yml | 3 +++ .github/workflows/safe-apps-check.yml | 3 +++ .github/workflows/safe-apps-e2e.yml | 4 ++++ 6 files changed, 24 insertions(+) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index bb6d845a6..0c4d46e91 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,6 +5,12 @@ on: pull_request_target: types: [opened, closed, synchronize] +permissions: + actions: write + contents: read + pull-requests: write + statuses: write + jobs: CLAAssistant: runs-on: ubuntu-latest diff --git a/.github/workflows/conventional-commit-check.yml b/.github/workflows/conventional-commit-check.yml index c32009ba0..dac796631 100644 --- a/.github/workflows/conventional-commit-check.yml +++ b/.github/workflows/conventional-commit-check.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 1b3f35e28..8159fafc6 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -10,6 +10,11 @@ on: - development # Run manually to version/production deployment/github releases workflow_dispatch: + +permissions: + contents: read + pull-requests: write + env: REPO_NAME_ALPHANUMERIC: safereactapps HUSKY: 0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 33c5b8549..be9cbdefb 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,9 @@ name: 'ESLint check' on: [pull_request] +permissions: + contents: read + jobs: eslint: runs-on: ubuntu-latest diff --git a/.github/workflows/safe-apps-check.yml b/.github/workflows/safe-apps-check.yml index 5dd0f487d..b7474c2fd 100644 --- a/.github/workflows/safe-apps-check.yml +++ b/.github/workflows/safe-apps-check.yml @@ -26,6 +26,9 @@ on: # # At 4:00 on every day-of-week from Monday through Friday # - cron: '0 4 * * 1-5' +permissions: + contents: read + jobs: e2e: runs-on: ubuntu-20.04 diff --git a/.github/workflows/safe-apps-e2e.yml b/.github/workflows/safe-apps-e2e.yml index 82532b32d..bfbbe570a 100644 --- a/.github/workflows/safe-apps-e2e.yml +++ b/.github/workflows/safe-apps-e2e.yml @@ -6,6 +6,10 @@ on: - development - main +permissions: + actions: write + contents: read + jobs: e2e: runs-on: ubuntu-latest From b1ff8783dcb68ca145bff880fb9a89020efae9fb Mon Sep 17 00:00:00 2001 From: Oluwapelumi Oluwaseyi Date: Thu, 21 May 2026 14:42:46 +0200 Subject: [PATCH 2/5] ci: pin all action references to commit SHAs Org policy requires actions/missing-workflow-permissions PRs to also have every action ref pinned to a full-length commit SHA. Without this, CI fails before running with: 'the action X is not allowed in safe-global/safe-react-apps because all actions must be pinned to a full-length commit SHA'. Pinned to the SHA of the existing tag/branch HEAD to preserve current behavior. Upgrades to newer major versions (checkout v4/v5, setup-node v4, cache v4, etc.) are out of scope for this PR. --- .github/workflows/cla.yml | 2 +- .../workflows/conventional-commit-check.yml | 2 +- .github/workflows/deployment.yml | 12 ++++++------ .github/workflows/lint.yml | 4 ++-- .github/workflows/safe-apps-check.yml | 18 +++++++++--------- .github/workflows/safe-apps-e2e.yml | 10 +++++----- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 0c4d46e91..07ee41adc 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -18,7 +18,7 @@ jobs: - name: 'CLA Assistant' if: (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' # Beta Release - uses: contributor-assistant/github-action@v2.2.0 + uses: contributor-assistant/github-action@b2a7f9fb90217ea0b8a0c95c288221457be4a31f # v2.2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # the below token should have repo scope and must be manually added by you in the repository's secret diff --git a/.github/workflows/conventional-commit-check.yml b/.github/workflows/conventional-commit-check.yml index dac796631..d0d8d043a 100644 --- a/.github/workflows/conventional-commit-check.yml +++ b/.github/workflows/conventional-commit-check.yml @@ -15,6 +15,6 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v4 + - uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7 # v4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 8159fafc6..4de3972e0 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event_name == 'pull_request' }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.ref }} fetch-depth: 0 @@ -37,7 +37,7 @@ jobs: aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Derive appropriate SHAs for base and head for `nx affected` commands - uses: nrwl/nx-set-shas@v4 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4 - name: Test, Build, Deploy PR run: | @@ -57,7 +57,7 @@ jobs: - name: 'PRaul: Comment PR with app URLs' if: success() && github.event.number - uses: mshick/add-pr-comment@v1 + uses: mshick/add-pr-comment@a96c578acba98b60f16c6866d5f20478dc4ef68b # v1 with: message: | * [Drain Account App](${{ env.REVIEW_FEATURE_URL }}/drain-safe/) @@ -77,7 +77,7 @@ jobs: if: github.event_name != 'pull_request' && github.event_name != 'workflow_dispatch' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 @@ -88,7 +88,7 @@ jobs: aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Derive appropriate SHAs for base and head for `nx affected` commands - uses: nrwl/nx-set-shas@v4 + uses: nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4 - name: Test and Build run: | @@ -123,7 +123,7 @@ jobs: if: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: fetch-depth: 0 ref: main diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index be9cbdefb..019644620 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,9 +8,9 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 18 cache: yarn diff --git a/.github/workflows/safe-apps-check.yml b/.github/workflows/safe-apps-check.yml index b7474c2fd..2339db923 100644 --- a/.github/workflows/safe-apps-check.yml +++ b/.github/workflows/safe-apps-check.yml @@ -35,9 +35,9 @@ jobs: # let's make sure our tests pass on Chrome browser name: E2E on Chrome steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Mainnet with: browser: chrome @@ -55,7 +55,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Gnosis Chain with: browser: chrome @@ -73,7 +73,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Polygon with: browser: chrome @@ -91,7 +91,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: BNB Smart Chain with: browser: chrome @@ -109,7 +109,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Arbitrum with: browser: chrome @@ -127,7 +127,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Aurora with: browser: chrome @@ -145,7 +145,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Avalanche with: browser: chrome @@ -163,7 +163,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true - - uses: cypress-io/github-action@v5 + - uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 name: Optimism with: browser: chrome diff --git a/.github/workflows/safe-apps-e2e.yml b/.github/workflows/safe-apps-e2e.yml index bfbbe570a..cccbbd038 100644 --- a/.github/workflows/safe-apps-e2e.yml +++ b/.github/workflows/safe-apps-e2e.yml @@ -16,12 +16,12 @@ jobs: name: Execute E2E tests steps: - name: Cancel previous runs - uses: styfle/cancel-workflow-action@0.8.0 + uses: styfle/cancel-workflow-action@3d86a7cc43670094ac248017207be0295edbc31d # 0.8.0 with: access_token: ${{ github.token }} - name: Checkout web-core - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: safe-global/web-core ref: main @@ -32,7 +32,7 @@ jobs: run: yarn install - name: Yarn cache web-core modules - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: 'web-core/**/node_modules' key: web-core-modules-${{ hashFiles('**/yarn.lock') }} @@ -69,13 +69,13 @@ jobs: if: ${{ github.ref == 'refs/heads/main' || github.event.schedule == '0 9 * * 1-5' }} - name: Checkout safe-react-apps - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: safe-global/safe-react-apps path: apps - name: Execute E2E tests - uses: cypress-io/github-action@v5 + uses: cypress-io/github-action@248bde77443c376edc45906ede03a1aba9da0462 # v5 with: browser: chrome record: true From 2370e3bba17255b949468db49a4cee1f2c3d9f26 Mon Sep 17 00:00:00 2001 From: Oluwapelumi Oluwaseyi Date: Thu, 21 May 2026 14:45:01 +0200 Subject: [PATCH 3/5] ci: pin composite-action references to commit SHAs The local setup-env composite action references actions/setup-node@v3 and aws-actions/configure-aws-credentials@v1 unpinned, which the 'Pull Request' workflow consumes via ./.github/actions/setup-env. The org SHA-pin policy rejects them too. --- .github/actions/setup-env/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/setup-env/action.yml b/.github/actions/setup-env/action.yml index f983278cf..0543b1909 100644 --- a/.github/actions/setup-env/action.yml +++ b/.github/actions/setup-env/action.yml @@ -21,7 +21,7 @@ runs: using: 'composite' steps: - name: Node.js setup - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ inputs.node-version }} cache: 'yarn' @@ -40,7 +40,7 @@ runs: run: yarn install --frozen-lockfile - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1 with: aws-access-key-id: ${{ inputs.aws-access-key-id }} aws-secret-access-key: ${{ inputs.aws-secret-access-key }} From 6ad58c7bc491b24ceba2fc586e3de7f7cd8bb24f Mon Sep 17 00:00:00 2001 From: Oluwapelumi Oluwaseyi Date: Thu, 28 May 2026 10:45:29 +0200 Subject: [PATCH 4/5] fix: migrate CLA workflow to safe-global/github-reusable-workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the direct contributor-assistant/github-action invocation with the centralised reusable action at safe-global/github-reusable-workflows (commit f72a861e — main 2026-05-27). The reusable action wraps contributor-assistant @ v2.6.1 and points the signature writes at the cla-signatures repo's 'signatures' branch (outside the ruleset that was rejecting bot commits on main). Requires the REUSABLE_WORKFLOWS_TOKEN repo/org secret. Allowlist preserved from the previous workflow. --- .github/workflows/cla.yml | 47 +++++++++++++-------------------------- 1 file changed, 16 insertions(+), 31 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 07ee41adc..185158972 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,41 +5,26 @@ on: pull_request_target: types: [opened, closed, synchronize] -permissions: - actions: write - contents: read - pull-requests: write - statuses: write +permissions: {} jobs: - CLAAssistant: + CLAssistant: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write steps: + - name: Checkout reusable workflows + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: safe-global/github-reusable-workflows + token: ${{ secrets.REUSABLE_WORKFLOWS_TOKEN }} + path: reusable-workflows + ref: f72a861e898dd2d539a0598a1fb43a8ea801ebd1 # main 2026-05-27 (signatures branch) - name: 'CLA Assistant' - if: (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' - # Beta Release - uses: contributor-assistant/github-action@b2a7f9fb90217ea0b8a0c95c288221457be4a31f # v2.2.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # the below token should have repo scope and must be manually added by you in the repository's secret - PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_ACCESS_TOKEN }} + uses: ./reusable-workflows/actions/cla with: - path-to-signatures: 'signatures/version1/cla.json' - path-to-document: 'https://safe.global/cla' # e.g. a CLA or a DCO document - # branch should not be protected - branch: 'main' - # user names of users allowed to contribute without CLA + github-token: ${{ secrets.GITHUB_TOKEN }} + personal-access-token: ${{ secrets.CLA_ACCESS_TOKEN }} allowlist: clovisdasilvaneto,rmeissner,Uxio0,dasanra,francovenica,luarx,yagopv,usame-algan,bot* - - # the followings are the optional inputs - If the optional inputs are not given, then default values will be taken - # enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository) - remote-organization-name: 'safe-global' - # enter the remote repository name where the signatures should be stored (Default is storing the signatures in the same repository) - remote-repository-name: 'cla-signatures' - #create-file-commit-message: 'For example: Creating file for storing CLA Signatures' - #signed-commit-message: 'For example: $contributorName has signed the CLA in #$pullRequestNo' - #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign' - #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA' - #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.' - #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true) - #use-dco-flag: true - If you are using DCO instead of CLA From f43913cfa10d4bd01e21ec644327b61291e13f80 Mon Sep 17 00:00:00 2001 From: Oluwapelumi Oluwaseyi Date: Thu, 28 May 2026 10:59:57 +0200 Subject: [PATCH 5/5] fix: pin CLA reusable workflow to v2.4.18 --- .github/workflows/cla.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 185158972..847c13cb7 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -21,7 +21,7 @@ jobs: repository: safe-global/github-reusable-workflows token: ${{ secrets.REUSABLE_WORKFLOWS_TOKEN }} path: reusable-workflows - ref: f72a861e898dd2d539a0598a1fb43a8ea801ebd1 # main 2026-05-27 (signatures branch) + ref: c4fd58f9c721aca09b841c8035ce1d115ed5f3c3 # v2.4.18 - name: 'CLA Assistant' uses: ./reusable-workflows/actions/cla with: