Harden CI/CD workflows: fix secret exposure, script injection, and pin all actions to SHA#762
Harden CI/CD workflows: fix secret exposure, script injection, and pin all actions to SHA#762jprakash-db wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens GitHub Actions workflow security by pinning third-party actions to immutable commit SHAs and setting explicit job token permissions to reduce default privilege.
Changes:
- Pin GitHub Actions used across CI/publish workflows to specific commit SHAs (instead of floating tags like
v4/v5). - Add explicit
permissions:blocks (primarilycontents: read) to workflows to follow least-privilege. - Adjust a few workflow behaviors (notably the Test PyPI publish trigger and some shell env usage in coverage).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/publish.yml | Add least-privilege permissions and pin actions by SHA for production publish. |
| .github/workflows/publish-test.yml | Restrict trigger to main, add permissions, and pin actions by SHA for Test PyPI publish. |
| .github/workflows/publish-manual.yml | Add permissions and pin actions by SHA for manual production publish. |
| .github/workflows/integration.yml | Add permissions and pin actions by SHA for integration test workflows. |
| .github/workflows/dco-check.yml | Add permissions, change runner, and pin actions by SHA for DCO enforcement. |
| .github/workflows/daily-telemetry-e2e.yml | Add permissions and pin actions by SHA; pin artifact upload action. |
| .github/workflows/code-quality-checks.yml | Add permissions and pin actions by SHA across unit/lint/type checks. |
| .github/workflows/code-coverage.yml | Pin actions by SHA and refactor override/summary steps to use env vars. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
The workflow posts a PR comment via github.rest.issues.createComment, which requires the issues: write permission on GITHUB_TOKEN. With only pull-requests: write granted here, the comment step may fail with a 403. Add issues: write (and keep/remove pull-requests based on what actions-dco needs).
| pull-requests: write | |
| pull-requests: write | |
| issues: write |
| on: | ||
| push: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
This changes the Test PyPI publish workflow trigger from running on every push to running only on pushes to main. Since the PR description doesn’t mention this behavior change, please confirm it’s intended (it will stop publishing from non-main branches).
There was a problem hiding this comment.
i think this is fine
| runs-on: | ||
| group: databricks-protected-runner-group | ||
| labels: linux-ubuntu-latest | ||
| runs-on: ubuntu-latest |
vikrantpuppala
left a comment
There was a problem hiding this comment.
couple of comments
Summary
This PR addresses 2 CRITICAL and 4 HIGH supply chain security findings identified during a comprehensive CI/CD security audit of all GitHub Actions workflows. These fixes are required before the workflows can be safely re-enabled.
Critical Fixes
code-coverage.yml— Removed explicitref/repositorycheckout of fork PR code that ran in a context withazure-prodsecrets (DATABRICKS_TOKEN,DATABRICKS_HOST). An external attacker could have exfiltrated secrets by opening a malicious PR.code-coverage.yml—${{ github.event.pull_request.body }}was interpolated directly intorun:shell steps, allowing arbitrary command execution via crafted PR descriptions. Moved all attacker-controllable expressions toenv:blocks.High Fixes
dco-check.ymloff self-hosted runners — Was usingdatabricks-protected-runner-grouponpull_requesttrigger, meaning any fork PR could execute code on internal infrastructure. Switched toubuntu-latest.publish-test.ymltomainbranch — Was triggering onon: [push]for all branches, publishing to Test PyPI on every push. Now restricted topush: branches: [main].uses:reference across all 8 workflows was using mutable tags (@v1,@v2,@v4, etc.) vulnerable to upstream tag mutation or account compromise. All now use immutable commit SHAs with version comments.permissions:blocks — 7 of 8 workflows had nopermissions:declaration (defaults can be overly broad). All now declarecontents: read(andpull-requests: writeonly where needed for PR comments).Files Changed (8 workflow files)
.github/workflows/code-coverage.yml.github/workflows/dco-check.yml.github/workflows/publish-test.yml.github/workflows/code-quality-checks.yml.github/workflows/integration.yml.github/workflows/daily-telemetry-e2e.yml.github/workflows/publish.yml.github/workflows/publish-manual.ymlTest Plan
${{ github.event.* }}expressions insiderun:blocks (all moved toenv:)# tagcomments)dco-check.ymlusesubuntu-latest(no self-hosted runner references)publish-test.ymlonly triggers onpushtomainpermissions:blocksThis pull request was AI-assisted by Isaac.