ci: harden github workflows with least-privilege permissions and timeouts#14
Conversation
…outs Scope: workflow YAML hardening only; no PowerShell or quality-logic changes. - codeql.yml: switch analysis matrix from 'python' (repo has no Python; CodeQL cannot analyze PowerShell) to 'actions' so the workflows themselves are scanned; add top-level contents:read and a 15m job timeout. - pages.yml: add 10m timeouts to build and deploy jobs (top-level permissions already least-privilege). - pr-lint.yml: add top-level permissions (contents:read, pull-requests:read) and a 10m job timeout. - stale.yml: add top-level permissions (contents:read, issues:write, pull-requests:write) and a 10m job timeout. - quality.yml: already hardened; unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 34c098df1f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| fail-fast: false | ||
| matrix: | ||
| language: [ 'python' ] | ||
| language: [ 'actions' ] |
There was a problem hiding this comment.
Keep Python in the CodeQL matrix
This replaces the existing Python CodeQL job instead of adding Actions scanning alongside it. The repo still has executable Python code (scripts/validate_json_schema.py) that is invoked by scripts/Test-CasJsonSchema.ps1:11 and :33, so after this change CodeQL will only analyze workflow YAML and the Python validator loses code-scanning coverage on every push/PR. Include both python and actions in the matrix if the goal is to harden workflows without dropping existing coverage.
Useful? React with 👍 / 👎.
Summary
Hardens this repo's GitHub Actions workflows. Workflow YAML only — no PowerShell scripts or quality-gate logic were touched.
CodeQL decision + rationale
codeql.ymlpreviously set the analysis matrix tolanguage: [ 'python' ], but this repo contains no Python — it is PowerShell + JSON. CodeQL has no PowerShell analyzer, so apythonrun analyzed nothing and effectively wasted CI while giving a false sense of security coverage.Decision: switch the matrix to
language: [ 'actions' ]rather than deleting the workflow. CodeQL'sactionspack scans GitHub Actions workflow files for real issues (e.g. injection via untrusted${{ github.event.* }}, over-broadpull_request_targetusage, unpinned/dangerous action patterns). This repo has five workflows worth scanning, one of which (pr-lint.yml) usespull_request_target, soactionsanalysis adds genuine value. Keeping the workflow (retargeted) is strictly better than removing it.Per-file changes
codeql.ymlcontents: read(job-level already scoped:actions: read,contents: read,security-events: write) + matrixpython→actions15onanalyzepages.ymlcontents: read,pages: write,id-token: write) — unchanged10onbuildanddeploypr-lint.ymlcontents: read,pull-requests: read10onmainstale.ymlcontents: read,issues: write,pull-requests: write10onstalequality.ymlcontents: read+ per-step/job timeouts) — unchanged20Validation
All five workflow files parse cleanly via
yaml.safe_load(PyYAML). No syntax regressions.🤖 Generated with Claude Code