From 49e84f60d22f815ba3997ca5ec751c9f4592899d Mon Sep 17 00:00:00 2001 From: Irfan Hardiyanto Date: Wed, 10 Jun 2026 00:26:31 +0700 Subject: [PATCH] Harden CI against malicious PRs - CODEOWNERS: auto-request maintainer review on every PR, mandatory code-owner approval for workflows + install scripts + source files - dependabot.yml: weekly PRs that bump pinned action SHAs to latest release - Pin actions/checkout to SHA (v4.3.1) so an upstream compromise of the moving v4 tag does not silently execute attacker code in our runners - Default workflow permissions to contents:read; release.yml keeps its explicit contents:write opt-in so writes are visible per-workflow --- .github/CODEOWNERS | 14 ++++++++++++++ .github/dependabot.yml | 15 +++++++++++++++ .github/workflows/ci.yml | 11 ++++++++--- .github/workflows/release.yml | 2 +- 4 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..639695d --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,14 @@ +# Default owner — every PR auto-requests review from the maintainer. +* @devhardiyanto + +# Security-sensitive paths. Branch protection is configured to require +# code-owner review for these, so they cannot be merged without explicit +# maintainer approval even if the rest of the PR passes review. +/.github/workflows/ @devhardiyanto +/.github/CODEOWNERS @devhardiyanto +/.github/dependabot.yml @devhardiyanto +/linux/install.sh @devhardiyanto +/linux/phpvm.sh @devhardiyanto +/windows/install.ps1 @devhardiyanto +/windows/phpvm.ps1 @devhardiyanto +/version.txt @devhardiyanto diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1e8ced2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +version: 2 +updates: + # Keep GitHub Actions versions current. Updates arrive as PRs that bump the + # pinned SHA + comment to the latest release of each action used in workflows. + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + commit-message: + prefix: "ci" + labels: + - dependencies + - github-actions diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3292030..1cc21c5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,12 +5,17 @@ on: branches: [main] pull_request: +# Default: no write permissions. Individual jobs/workflows must opt in +# explicitly (release.yml needs `contents: write`). +permissions: + contents: read + jobs: windows: name: Windows lint + tests runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Pester 5 and PSScriptAnalyzer shell: pwsh @@ -40,7 +45,7 @@ jobs: name: Linux shellcheck + bats runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install shellcheck + bats run: | @@ -57,7 +62,7 @@ jobs: name: Version consistency runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check version.txt matches all 4 sources run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 67f4d92..164d0a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: name: Create GitHub release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0