Skip to content

Security: Pin action SHAs and add explicit permissions #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CybotTM wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Security: Pin action SHAs and add explicit permissions #12

CybotTM wants to merge 4 commits into from

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Dec 19, 2025

Summary

This PR resolves GitHub Security alerts by implementing workflow security best practices:

  • Added explicit permissions blocks to all jobs (minimum contents: read)
  • Pinned all GitHub Actions to full commit SHAs instead of version tags

Security Improvements

Explicit Permissions

All jobs now have explicit permission declarations following the principle of least privilege:

  • validate-compose: contents: read
  • build-moodle-image: contents: read, packages: write
  • test-stack-startup: contents: read
  • security-scan: contents: read
  • markdown-lint: contents: read

Action SHA Pinning

All actions are now pinned to full commit SHAs to prevent supply chain attacks:

Action SHA Version
actions/checkout 11bd71901bbe5b1630ceea73d27597364c9af683 v4.2.2
docker/setup-buildx-action b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 v3.10.0
docker/login-action 74a5d142397b4f367a81961eba4e8cd7edddf772 v3.4.0
docker/metadata-action 902fa8c0b3dc0d3bba63c0d8ea8a87b5be5c08e9 v5.7.0
docker/build-push-action 4f58ea79222b3b9dc2c8bbdd6debcef730109a75 v6.9.0
aquasecurity/trivy-action 6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 master
DavidAnson/markdownlint-cli2-action 82b32f7aaebcf01d06b69f1ec84a31fc90eb416a v14.0.0

Testing

  • Workflow syntax is valid
  • All jobs maintain existing functionality
  • No breaking changes to workflow behavior

References

Resolves GitHub Security alerts for workflow configuration.

@CybotTM
Security: Pin action SHAs and add explicit permissions
1be3aa8 
- Add explicit permissions blocks to all jobs (contents: read minimum)
- Pin all GitHub Actions to full commit SHAs instead of tags
- Actions pinned:
  - actions/checkout@11bd719 (v4.2.2)
  - docker/setup-buildx-action@b5ca514 (v3.10.0)
  - docker/login-action@74a5d14 (v3.4.0)
  - docker/metadata-action@902fa8c (v5.7.0)
  - docker/build-push-action@4f58ea7 (v6.9.0)
  - aquasecurity/trivy-action@6e7b7d1 (master)
  - DavidAnson/markdownlint-cli2-action@82b32f7 (v14.0.0)

This resolves GitHub Security alerts for:
- Unpinned actions (prevents supply chain attacks)
- Missing explicit permissions (follows principle of least privilege)
@CybotTM
fix: Update GitHub Actions to valid/latest SHAs
4ddb06e 
- markdownlint-cli2-action: v22.0.0 @ 07035fd053f7be764496c0f8d8f9f41f98305101
- setup-buildx-action: v3.12.0 @ 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
- login-action: v3.6.0 @ 5e57cd118135c172c3672efd75eb46360885c0ef
- metadata-action: v5.10.0 @ c299e40c65443455700f0fdfc63efafe5b349051
- build-push-action: v6.18.0 @ 263435318d21b8e681c14492fe198d362a7d2c83

Fixes invalid markdownlint-cli2-action SHA that was causing workflow failures.
@CybotTM
fix: Resolve CI failures - secret detection and markdown lint
59b1a32 
- Exclude Makefile from secret detection check (contains template placeholders)
- Fix table formatting in QUICKSTART.md (MD060) - add spaces around pipes
- Fix duplicate heading in README.md (MD024) - rename second "Traefik Integration" to "Manual Traefik Configuration"
@CybotTM
fix: remove invalid docker tag prefix causing build failure
fc22f11 
The docker/metadata-action configuration had `type=sha,prefix={{branch}}-`
which generated invalid Docker tags with leading hyphens (e.g.,
`ghcr.io/netresearch/moodle-docker/moodle:-36c8772`) when the branch
placeholder was empty or not properly resolved in PR contexts.

Changed to `type=sha` to generate valid tags like `sha-36c8772` instead.

Fixes #12 build failure: "invalid reference format"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM