Prompt
Implement strict security controls in continuous integration and deployment workflows:
- Pin external GitHub Actions to immutable commit hashes rather than mutable tags:
```yaml
Instead of this (vulnerable to supply chain attacks):
- uses: codespell-project/codespell-problem-matcher@v1
Use this (pinned to specific commit):
- uses: codespell-project/codespell-problem-matcher@e8fc5c5c5e6c5c5c5c5c5c5c5c5c5c5c5c5c5c5c ```
- Isolate workflows requiring elevated permissions into separate files for clearer security boundaries:
# Separate high-privilege workflows (e.g., update-nix-hash.yml) from regular CI workflows permissions: contents: write # Clearly visible elevated permission - Apply the principle of least privilege by:
- Only granting write permissions where strictly necessary
- Using conditional execution to limit when privileged jobs run (e.g.,
if: github.event_name == 'push' && github.ref == 'refs/heads/main')
- Thoroughly review scripts running with elevated permissions to protect against:
- Secret leakage
- Unintended commits or changes
- Input injection vulnerabilities
Implementing these practices prevents supply chain attacks and reduces the risk of compromised workflows affecting your repository.