Skip to content

ci: harden GitHub Actions against supply chain attacks #1722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rodrigopavezi wants to merge 3 commits into
base: master
Choose a base branch
from
Open

ci: harden GitHub Actions against supply chain attacks #1722

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3a79ddd
ci: harden GitHub Actions against supply chain attacks
rodrigopavezi May 14, 2026
a8e46ba
fix(ci): add issues: write permission to security-echidna workflow
rodrigopavezi May 14, 2026
20aa4dc
chore: re-trigger CI after Performance plan upgrade
MantisClone May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/auto-project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
issues:
types: [opened]

permissions:
contents: read

jobs:
add-to-project:
uses: RequestNetwork/.github/.github/workflows/add-to-project.yml@main
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/auto_assign_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,8 @@ jobs:
add-reviews:
runs-on: ubuntu-latest
steps:
- uses: kentaro-m/auto-assign-action@v1.2.0
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- uses: kentaro-m/auto-assign-action@50ee9a1818bde2eb93a948448994a9d414457e3a # v1.2.0
4 changes: 4 additions & 0 deletions .github/workflows/pr-comments.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
pull_request_target:
types: [opened, ready_for_review, closed]

permissions:
contents: read
pull-requests: write

jobs:
pr-comments:
name: PR Comments
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/reopen-issue-if-prs-open.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
issues:
types: [closed]

permissions:
contents: read

jobs:
reopen-if-needed:
uses: RequestNetwork/.github/.github/workflows/reopen-issue-if-prs-open.yml@main
Expand Down
17 changes: 11 additions & 6 deletions .github/workflows/security-echidna.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ on:
permissions:
contents: read
pull-requests: write
issues: write

jobs:
echidna-fuzzing:
Expand All @@ -34,13 +35,17 @@ jobs:
timeout-minutes: 90

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
Copy link
Copy Markdown
Member

@MantisClone MantisClone May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Adjacent feedback: the yarn install --frozen-lockfile step a few lines below is unprotected by Socket Firewall. #282 task 4 said Socket on the install step across CI workflows; the PR only wraps the three Tron install steps. Suggest adding the same setup-Socket pattern Tron got, immediately before the install step:

- name: Setup Socket.dev
  uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
  with:
    mode: firewall-free

and changing the install line to sfw yarn install --frozen-lockfile.

with:
node-version: '22'
cache: 'yarn'
Expand Down Expand Up @@ -82,7 +87,7 @@ jobs:
echidna --version

- name: Restore corpus cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: packages/smart-contracts/corpus
key: echidna-corpus-${{ github.ref_name }}-${{ github.sha }}
Expand Down Expand Up @@ -175,7 +180,7 @@ jobs:

- name: Upload Echidna reports
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: echidna-reports-${{ steps.mode.outputs.MODE }}
path: |
Expand All @@ -185,7 +190,7 @@ jobs:

- name: Comment on PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
Copy link
Copy Markdown
Member

@MantisClone MantisClone May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Nit, not blocking: the '${{ steps.parse.outputs.X }}' interpolation pattern below is the github-script script-injection shape that zizmor and actionlint flag. Safe today since the values are jq-extracted integers, but the safer pattern is env: + process.env. Same in security-slither.yml:140.

with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -257,7 +262,7 @@ jobs:

- name: Create issue for nightly failures
if: github.event_name == 'schedule' && steps.echidna.outcome == 'failure'
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
16 changes: 10 additions & 6 deletions .github/workflows/security-slither.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,17 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
Copy link
Copy Markdown
Member

@MantisClone MantisClone May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Same Socket Firewall gap as security-echidna.yml. Same fix.

with:
node-version: '22'
cache: 'yarn'
Expand All @@ -48,7 +52,7 @@ jobs:
yarn build:sol

- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: '3.11'
cache: 'pip'
Expand Down Expand Up @@ -90,14 +94,14 @@ jobs:

- name: Upload SARIF to GitHub Security
if: always() && hashFiles('packages/smart-contracts/reports/security/slither.sarif') != ''
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4
Copy link
Copy Markdown
Member

@MantisClone MantisClone May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Must-fix before merge: this SHA does not exist in github/codeql-action. Verified: gh api repos/github/codeql-action/commits/5e316336... returns 422, and no ref points at it. The step runs if: always() && hashFiles(...) != '' and Slither emits a SARIF every run, so this fails the job every time.

Replace with:

uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5

with:
sarif_file: packages/smart-contracts/reports/security/slither.sarif
category: slither

- name: Upload Slither reports
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: slither-reports
path: packages/smart-contracts/reports/security/
Expand Down Expand Up @@ -132,7 +136,7 @@ jobs:

- name: Comment on PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
48 changes: 39 additions & 9 deletions .github/workflows/tron-smart-contracts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,26 +32,38 @@ on:
- 'packages/currency/src/chains/tron/**'
workflow_dispatch:

permissions:
contents: read

jobs:
tron-compile-check:
name: Tron Contract Compilation Check
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Install TronBox globally
run: npm install -g tronbox
Copy link
Copy Markdown
Member

@MantisClone MantisClone May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Minor: this runs before Setup Socket.dev so the tronbox global install isn't gated by sfw. Harden Runner audit still observes its egress. Suggest swapping the two so all dep installs in this job go through Socket.


- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Compile Tron contracts
working-directory: packages/smart-contracts
Expand Down Expand Up @@ -134,17 +146,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Build dependencies
run: |
Expand All @@ -163,17 +184,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Build smart-contracts package
run: |
Expand Down
Loading