Skip to content

ci: harden CI workflows with environment-based protection #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
carlosmmatos wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ci: harden CI workflows with environment-based protection #476

carlosmmatos wants to merge 2 commits into from

Conversation

@carlosmmatos
Copy link
Contributor

@carlosmmatos carlosmmatos commented Jan 30, 2026
edited
Loading

Summary

This PR hardens CI workflows against supply chain attacks by replacing pull_request_target with environment-based secret gating.

Security Improvements

  • Eliminated pull_request_target attack surface - Removed from 10 workflows that were vulnerable to malicious fork PRs
  • Environment-based secret gating - PRs require approval before accessing secrets
  • Explicit SHA passing - Prevents confused deputy attacks by passing github.event.pull_request.head.sha explicitly
  • SHA-pinned actions - All third-party actions pinned to full SHA with version comments
  • Centralized audit surface - Security logic consolidated into 3 reusable workflows

This ensures:

  • Fork PRs cannot exfiltrate secrets - Malicious code in a PR cannot access FALCON_CLIENT_ID etc. without maintainer approval
  • Trusted contexts remain efficient - Push to main and scheduled runs don't require manual intervention

Files Changed

New Reusable Workflows

  • .github/workflows/reusable-molecule-test-linux.yml - Linux molecule testing
  • .github/workflows/reusable-molecule-test-windows.yml - Windows molecule testing
  • .github/workflows/reusable-container-sensor-pull.yml - Container sensor pull

Modified Caller Workflows (10 total)

  • bash_install.yml, bash_install_decrement.yml, bash_install_only.yml, bash_install_policy.yml, bash_migrate.yml
  • pwsh_install_ccid.yml, pwsh_install_policy.yml, pwsh_migrate.yml, pwsh_uninstall.yml
  • container_sensor_pull.yml

Other Hardening

  • SHA-pinned actions in docs.yml, psscriptanalyzer.yml, release.yml, shell_format.yml, shellcheck.yml, stale.yml

@carlosmmatos
ci: initial hardening steps
9ae4f25
@carlosmmatos
ci: replace pull_request_target with environment-based protection
543db18 
- Convert 10 workflows from pull_request_target to pull_request trigger
- Create 3 reusable workflows with centralized test logic:
  - reusable-molecule-test-linux.yml
  - reusable-molecule-test-windows.yml
  - reusable-container-sensor-pull.yml
- Add environment protection (molecule-testing) for PR secret access
- Update actions/checkout to v5.0.1 (SHA pinned)
- Fix psscriptanalyzer action pinning from main to v1.1
- Add CODEOWNERS file with falcon-scripts-cs-maintainers

Security improvements:
- Eliminates pull_request_target risks from fork PRs
- Environment approval gates secret access for external contributors
- All actions properly SHA-pinned with version comments
- PR SHA passed explicitly to prevent confusion attacks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlosmmatos