chore: apply security best practices and onboard stepsecurity (#131)

ali-kafel · web-flow · commit 357d2fedc5b7 · 2025-11-06T10:20:17.000-05:00
This pull request updates the GitHub Actions workflows to improve
security and reliability. The main changes include hardening the CI
runners, pinning action versions to specific commit SHAs, and updating
permissions for certain jobs.

**Security hardening and workflow improvements:**

* Added the `step-security/harden-runner` action to all workflows
(`commit-lint.yml`, `npm-publish.yml`, `pull_request_checks.yml`),
blocking all network egress except for globally allowed endpoints.
[[1]](diffhunk://#diff-f9aa500b86b242f58f185509ad323b3526cf5effc683df4b5cb4d78df4108c5fR7-R26)
[[2]](diffhunk://#diff-8a5ce8b612395836520d0655143f732d08e747af57f3cfe76b5e283600106240L16-R23)
[[3]](diffhunk://#diff-ae3a094ad37eeebef2d33cfc7571af414c00ce49e02be88f32f3de2905a8a2d1L12-R19)
* Replaced version tags for `actions/checkout` and `actions/setup-node`
with specific commit SHAs to prevent supply chain attacks.
[[1]](diffhunk://#diff-f9aa500b86b242f58f185509ad323b3526cf5effc683df4b5cb4d78df4108c5fR7-R26)
[[2]](diffhunk://#diff-8a5ce8b612395836520d0655143f732d08e747af57f3cfe76b5e283600106240L16-R23)
[[3]](diffhunk://#diff-ae3a094ad37eeebef2d33cfc7571af414c00ce49e02be88f32f3de2905a8a2d1L12-R19)
* Pinned AWS-related actions (`aws-actions/configure-aws-credentials`,
`aws-actions/aws-secretsmanager-get-secrets`) to specific commit SHAs in
`npm-publish.yml`.

**Permissions and access control:**

* Added or updated `permissions` blocks to restrict and explicitly
define required permissions for jobs, including granting `id-token:
write` where needed for OIDC authentication.
[[1]](diffhunk://#diff-f9aa500b86b242f58f185509ad323b3526cf5effc683df4b5cb4d78df4108c5fR7-R26)
[[2]](diffhunk://#diff-8a5ce8b612395836520d0655143f732d08e747af57f3cfe76b5e283600106240R32-R56)
diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
@@ -4,15 +4,26 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   commit_lint:
     name: "Lint commit messages"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
       - run: yarn install --frozen-lockfile
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -13,8 +13,14 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
       - run: yarn install --frozen-lockfile
@@ -23,23 +29,31 @@ jobs:
   publish-npm:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
           registry-url: https://registry.npmjs.com/
       - run: yarn install --frozen-lockfile
       - run: yarn run build
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
           aws-region: us-east-1
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role
 
       - name: Read secrets from AWS Secrets Manager into environment variables
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5
+        uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5
         with:
           secret-ids: |
             /prod/circle-nodejs-sdk/npm/automation-token
diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml
@@ -8,9 +8,17 @@ jobs:
   lint:
     name: "Lint, Build and Test"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - name: Installing dependencies
         run: yarn install --frozen-lockfile
       - name: Prettier check
