-
Notifications
You must be signed in to change notification settings - Fork 119
Description
Area for Improvement
GitHub Actions workflows (general security improvement)
Observed behavior
The current set of workflows contain several areas where security and best practice guidelines can be strengthened. These include missing explicit permissions for jobs, missing job timeouts, and setting secrets at the workflow or job environment level, all of which may expose the project to unintended risks or resource misuse.
Desired behavior
Workflows should set granular job-level permissions, use job timeouts to limit runaway jobs, and avoid placing secrets directly in workflow or job environment blocks. These improvements will reduce the attack surface, make the CI processes more predictable, and enhance compliance with industry standards for workflow automation.
Proposed Fix
Update workflow YAML files to:
- Add explicit permissions to all jobs for least-privilege operation.
- Set timeout-minutes on all jobs to limit execution time.
- Move any secrets or tokens from job-level or workflow-level environment variables to safer storage or inject at step-level where possible.
Establish SCA for GitHub Workflows (ghalint, actionlint, etc) to enforce basic good practices.
rad Version
N/A
Operating system
N/A
Additional context
The proposed improvements aim to further secure workflows, improve maintainability, and align with well-established CI/CD practices.
Selected areas to improve:
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/005.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/006.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/009.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/010.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/012.md
- https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/013.md