Skip to content

ci: least-privilege workflow permissions and release signing#27

Open
jdatcmd wants to merge 1 commit into
mainfrom
security/scorecard-token-permissions
Open

ci: least-privilege workflow permissions and release signing#27
jdatcmd wants to merge 1 commit into
mainfrom
security/scorecard-token-permissions

Conversation

@jdatcmd

@jdatcmd jdatcmd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Addresses the two highest-impact gaps from the OpenSSF Scorecard review (current score 4.5/10).

Token-Permissions (was 0)

Six workflows had no top-level permissions: block, and docs.yml granted contents: write at the top level. This change:

  • Adds permissions: contents: read at the top level of build-and-test.yml, coverage.yml, matrix.yml, pgindent.yml, sanitizers.yml, and tests-registered.yml.
  • Narrows docs.yml to contents: read at the top level and grants contents: write only on the deploy job (which mike needs to push to gh-pages).

Expected to move Token-Permissions from 0 to 9/10.

Signed-Releases (was 0)

Adds .github/workflows/sign-release.yml. On a published release (or manual dispatch with a tag), it signs each source tarball and SHA256SUMS with cosign keyless (Sigstore) and uploads a <asset>.cosign.bundle next to each asset. No signing key is stored: the runner's GitHub OIDC identity is used, and each bundle carries the signature, certificate, and Rekor transparency-log entry. The cosign-installer action is pinned by commit SHA.

The existing manual gh release create flow is unchanged; signing happens automatically on publish. RELEASING.md documents the flow and the cosign verify-blob command consumers use.

Also

design/openssf-scorecard-todo.md records the full review and the remaining items: branch protection on main, requiring review approvals (Code-Review), SHA-pinning the remaining actions, the Markdown docs-dependency CVE, a CodeQL workflow (SAST), the best-practices badge, and fuzzing.

🤖 Generated with Claude Code

Address the two highest-value OpenSSF Scorecard gaps.

Token-Permissions: add a top-level "permissions: contents: read" to every
workflow that lacked one (build-and-test, coverage, matrix, pgindent,
sanitizers, tests-registered). In docs.yml, narrow the top-level token to
read and grant contents: write only on the deploy job that mike uses to push
to gh-pages.

Signed-Releases: add sign-release.yml, which on a published release signs each
source tarball and SHA256SUMS with cosign keyless (Sigstore, no stored key,
GitHub OIDC) and uploads a .cosign.bundle next to each asset. It can also be
run by hand for a given tag. RELEASING.md documents the flow and the
cosign verify-blob command. The cosign-installer action is pinned by commit
SHA.

design/openssf-scorecard-todo.md records the full review and the remaining
items (branch protection, review approvals, SHA-pinning the rest of the
actions, CodeQL, best-practices badge, fuzzing).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants