ci: least-privilege workflow permissions and release signing#27
Open
jdatcmd wants to merge 1 commit into
Open
Conversation
Address the two highest-value OpenSSF Scorecard gaps. Token-Permissions: add a top-level "permissions: contents: read" to every workflow that lacked one (build-and-test, coverage, matrix, pgindent, sanitizers, tests-registered). In docs.yml, narrow the top-level token to read and grant contents: write only on the deploy job that mike uses to push to gh-pages. Signed-Releases: add sign-release.yml, which on a published release signs each source tarball and SHA256SUMS with cosign keyless (Sigstore, no stored key, GitHub OIDC) and uploads a .cosign.bundle next to each asset. It can also be run by hand for a given tag. RELEASING.md documents the flow and the cosign verify-blob command. The cosign-installer action is pinned by commit SHA. design/openssf-scorecard-todo.md records the full review and the remaining items (branch protection, review approvals, SHA-pinning the rest of the actions, CodeQL, best-practices badge, fuzzing). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the two highest-impact gaps from the OpenSSF Scorecard review (current score 4.5/10).
Token-Permissions (was 0)
Six workflows had no top-level
permissions:block, anddocs.ymlgrantedcontents: writeat the top level. This change:permissions: contents: readat the top level ofbuild-and-test.yml,coverage.yml,matrix.yml,pgindent.yml,sanitizers.yml, andtests-registered.yml.docs.ymltocontents: readat the top level and grantscontents: writeonly on thedeployjob (whichmikeneeds to push togh-pages).Expected to move Token-Permissions from 0 to 9/10.
Signed-Releases (was 0)
Adds
.github/workflows/sign-release.yml. On a published release (or manual dispatch with a tag), it signs each source tarball andSHA256SUMSwith cosign keyless (Sigstore) and uploads a<asset>.cosign.bundlenext to each asset. No signing key is stored: the runner's GitHub OIDC identity is used, and each bundle carries the signature, certificate, and Rekor transparency-log entry. Thecosign-installeraction is pinned by commit SHA.The existing manual
gh release createflow is unchanged; signing happens automatically on publish.RELEASING.mddocuments the flow and thecosign verify-blobcommand consumers use.Also
design/openssf-scorecard-todo.mdrecords the full review and the remaining items: branch protection onmain, requiring review approvals (Code-Review), SHA-pinning the remaining actions, theMarkdowndocs-dependency CVE, a CodeQL workflow (SAST), the best-practices badge, and fuzzing.🤖 Generated with Claude Code