From bddad2f8372dff7dfb13b612882c023701a98acc Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Fri, 12 Jun 2026 17:34:51 +0200 Subject: [PATCH] Harden GitHub workflows Signed-off-by: Pol Henarejos --- .github/workflows/codeql.yml | 4 +++- .github/workflows/nightly.yml | 23 +++++++++++++++++++---- .github/workflows/test.yml | 13 +++++++++++-- 3 files changed, 33 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c846265..4c80cb4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,7 +40,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index fcf7dd9..d9672c4 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,34 +5,49 @@ on: - cron: '0 2 * * *' workflow_dispatch: +permissions: + contents: write + jobs: nightly: name: Deploy nightly + permissions: + contents: write strategy: fail-fast: false matrix: refs: [master, development] runs-on: ubuntu-latest + env: + SIGNING_KEY_PATH: ${{ github.workspace }}/../private.pem steps: + - name: Validate signing secret + run: | + test -n "${{ secrets.PRIVATE_KEY_B64 }}" || { + echo "PRIVATE_KEY_B64 is required for nightly signed releases." >&2 + exit 1 + } - name: Checkout repository uses: actions/checkout@v4 with: ref: ${{ matrix.refs }} submodules: 'recursive' + persist-credentials: false - name: Restore private key run: | - echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem - chmod 600 private.pem + echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > "${SIGNING_KEY_PATH}" + chmod 600 "${SIGNING_KEY_PATH}" - name : Build env: PICO_SDK_PATH: ../pico-sdk - SECURE_BOOT_PKEY: ../private.pem + SECURE_BOOT_PKEY: ${{ github.workspace }}/../private.pem run: | ./workflows/autobuild.sh pico ./build_pico_hsm.sh --no-eddsa ./workflows/autobuild.sh esp32 - name: Delete private key - run: rm private.pem + if: always() + run: rm -f "${SIGNING_KEY_PATH}" - name: Update nightly release uses: pyTooling/Actions/releaser@v6.7.0 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7d870eb..e7dc268 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,14 +21,20 @@ on: - cron: '23 5 * * 4' workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository and submodules - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: Build in container run: ./tests/build-in-docker.sh - name: Export image @@ -45,14 +51,17 @@ jobs: test: runs-on: ubuntu-latest needs: build + permissions: + contents: read strategy: matrix: suite: ["pkcs11", "pytest", "sc-hsm-pkcs11"] steps: - name: Checkout repository and submodules - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - name: Retrieve saved image uses: actions/download-artifact@v4 with: