Skip to content

security: harden all workflow files#1019

Merged
cx-luis-ventuzelos merged 1 commit into
mainfrom
security/harden-all-workflows
Jun 16, 2026
Merged

security: harden all workflow files#1019
cx-luis-ventuzelos merged 1 commit into
mainfrom
security/harden-all-workflows

Conversation

@cx-luis-ventuzelos

@cx-luis-ventuzelos cx-luis-ventuzelos commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixes the startup failure (id-token: write permission mismatch) and hardens all remaining workflow files.

Applied across all workflows:

  • Move permissions from workflow level to job level (least privilege)
  • Replace PERSONAL_ACCESS_TOKEN with GITHUB_TOKEN
  • Fix script injection by moving inputs.* and context expressions to env vars in run steps
  • Update pinned action SHAs: actions/checkout v6.0.3, actions/setup-node v6.4.0
  • Add pull-requests: write to auto-merge-pr and dependabot-auto-merge jobs
  • Fix ${{ github.event.pull_request.number }} injection in ast-cli-team-review.yml
  • Replace deprecated ::set-output with $GITHUB_OUTPUT in update-cli.yml

@stepsecurity-app

stepsecurity-app Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.GITHUB_TOKEN at line 18

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-luis-ventuzelos) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@stepsecurity-app

stepsecurity-app Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.GITHUB_TOKEN at line 19

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-luis-ventuzelos) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@stepsecurity-app

stepsecurity-app Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Security Policy Alert: Secret Policy Violation

This workflow run has been blocked by StepSecurity's secrets policy because it accesses secrets and the workflow file differs from the default branch.

Secret references detected:

  • secrets.CX_CLIENT_ID at line 51
  • secrets.CX_CLIENT_SECRET at line 52
  • secrets.CX_BASE_URI at line 53
  • secrets.CX_TENANT at line 54
  • secrets.CX_APIKEY at line 55

To approve this workflow, please add the workflows-approved label to this PR.

Note: The label must be added by someone other than the PR author (cx-luis-ventuzelos) or automation bots to ensure proper security review.

After the label is added, you can re-run the blocked workflow to proceed.

This workflow will be automatically approved once merged into the default branch.

For more information, see StepSecurity's Secret Exfiltration Policy documentation.

@cx-luis-ventuzelos
harden all workflow files security
8a7eb46 
- Fix startup failure: remove unnecessary id-token:write from delete-packages-and-releases.yml
- Move permissions to job level across all workflows (least privilege)
- Replace PERSONAL_ACCESS_TOKEN with GITHUB_TOKEN everywhere
- Fix script injection: move inputs/context expressions to env vars in run steps
- Replace deprecated ::set-output with GITHUB_OUTPUT (update-cli.yml)
- Update action pins: checkout v6.0.3, setup-node v6.4.0
- Add pull-requests:write to auto-merge and dependabot-merge jobs
- Fix PR number injection in ast-cli-team-review.yml
@cx-luis-ventuzelos cx-luis-ventuzelos force-pushed the security/harden-all-workflows branch from 4335920 to 8a7eb46 Compare June 15, 2026 18:09
@cx-luis-ventuzelos cx-luis-ventuzelos merged commit c2611e6 into main Jun 16, 2026
5 of 6 checks passed
@cx-luis-ventuzelos cx-luis-ventuzelos deleted the security/harden-all-workflows branch June 16, 2026 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-luis-ventuzelos