Area for Improvement

GitHub Actions workflows (general security improvement)

Observed behavior

The current set of workflows contain several areas where security and best practice guidelines can be strengthened. These include missing explicit permissions for jobs, missing job timeouts, and setting secrets at the workflow or job environment level, all of which may expose the project to unintended risks or resource misuse.

Desired behavior

Workflows should set granular job-level permissions, use job timeouts to limit runaway jobs, and avoid placing secrets directly in workflow or job environment blocks. These improvements will reduce the attack surface, make the CI processes more predictable, and enhance compliance with industry standards for workflow automation.

Proposed Fix

Update workflow YAML files to:

• Add explicit permissions to all jobs for least-privilege operation.
• Set timeout-minutes on all jobs to limit execution time.
• Move any secrets or tokens from job-level or workflow-level environment variables to safer storage or inject at step-level where possible.

Establish SCA for GitHub Workflows (ghalint, actionlint, etc) to enforce basic good practices.

rad Version

N/A

Operating system

N/A

Additional context

The proposed improvements aim to further secure workflows, improve maintainability, and align with well-established CI/CD practices.

Selected areas to improve:

• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/005.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/006.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/009.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/010.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/012.md
• https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/013.md

AB#17685