Harden GitHub workflows

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-06-16 15:44:51 +02:00 · 2026-06-12 17:21:04 +02:00
parent 4d13107aac
commit df949f3d45
3 changed files with 29 additions and 6 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -40,7 +40,9 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,34 +5,49 @@ on:
    - cron: '0 2 * * *'
  workflow_dispatch:

+permissions:
+  contents: write
+
 jobs:
  nightly:
    name: Deploy nightly
+    permissions:
+      contents: write
    strategy:
      fail-fast: false
      matrix:
        refs: [main, development]
    runs-on: ubuntu-latest
+    env:
+      SIGNING_KEY_PATH: ${{ github.workspace }}/../private.pem
    steps:
+      - name: Validate signing secret
+        run: |
+          test -n "${{ secrets.PRIVATE_KEY_B64 }}" || {
+            echo "PRIVATE_KEY_B64 is required for nightly signed releases." >&2
+            exit 1
+          }
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.refs }}
          submodules: 'recursive'
+          persist-credentials: false
      - name: Restore private key
        run: |
-          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem
-          chmod 600 private.pem
+          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > "${SIGNING_KEY_PATH}"
+          chmod 600 "${SIGNING_KEY_PATH}"
      - name : Build
        env:
          PICO_SDK_PATH: ../pico-sdk
-          SECURE_BOOT_PKEY: ../private.pem
+          SECURE_BOOT_PKEY: ${{ github.workspace }}/../private.pem
        run: |
           ./workflows/autobuild.sh pico
           ./build_pico_fido.sh --no-eddsa
           ./workflows/autobuild.sh esp32
      - name: Delete private key
-        run: rm private.pem
+        if: always()
+        run: rm -f "${SIGNING_KEY_PATH}"
      - name: Update nightly release
        uses: pyTooling/Actions/releaser@v6.7.0
        with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,16 +21,22 @@ on:
    - cron: '23 5 * * 4'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build:

    runs-on: ubuntu-latest
+    permissions:
+      contents: read

    steps:
    - name: Checkout repository and submodules
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
      with:
        submodules: recursive
+        persist-credentials: false
    - name: Build in container
      run: ./tests/build-in-docker.sh
    - name: Start emulation and test