chore(security): harden GitHub Actions and repo policies#4822
Conversation
- Remove chatgpt.yaml (AI review handled separately) - Pin securego/gosec@master to v2.9.6 commit SHA - Upgrade github/codeql-action v1/v2 to v3 (pinned SHA) - Bump actions/checkout v2/v3 to v4 in analysis/gosec/release - Bump actions/setup-go v2 to v5 in release; align Go 1.23.0 - Add top-level permissions: contents: write to release.yaml - Drop unneeded packages: write / pull-requests: read from ci.yaml - Replace curl-pipe codecov uploader with codecov-action@v5 - Add .github/dependabot.yml for github-actions, gomod, docker - Expand CODEOWNERS: security team reviews workflows, Dockerfile, go.mod/go.sum; protocol team on crypto/consensus/blockchain/state - Add SECURITY.md with private disclosure policy and safe harbor
Drop specific SLAs and safe harbor language to avoid committing to promises without an established security response process. Keep only the essential: point reporters at GitHub Private Vulnerability Reporting.
Both ci.yaml (1.23.0) and release.yaml (1.22.12 → 1.23.0) were below go.mod's required 1.24.6. CI was working only because GOTOOLCHAIN=auto silently downloaded the correct toolchain at build time — which defeats setup-go caching and breaks if GOTOOLCHAIN=local is ever set. Switch to go-version-file: go.mod so the workflow installs the exact version go.mod requires. Eliminates version drift permanently.
Prepares for flipping repo-wide default GITHUB_TOKEN permissions to read-only. gosec.yaml uploads SARIF via codeql-action/upload-sarif, which requires security-events: write.
|
There was a problem hiding this comment.
Pull request overview
Hardens the repository’s security posture by tightening GitHub Actions workflows, adding supply-chain automation (Dependabot), and strengthening governance via CODEOWNERS and a security reporting policy.
Changes:
- Tighten and modernize GitHub Actions workflows (reduced permissions, updated actions, pin select actions to SHAs, replace Codecov bash uploader).
- Add Dependabot configuration for GitHub Actions, Go modules, and Docker updates.
- Update governance/security docs (expanded CODEOWNERS; add SECURITY.md; remove ChatGPT review workflow).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Adds a security reporting policy (private vulnerability reporting link). |
| .github/workflows/release.yaml | Updates Go setup and adds explicit release permissions. |
| .github/workflows/gosec.yaml | Pins gosec and upload-sarif to specific commits and tightens job permissions. |
| .github/workflows/ci.yaml | Uses setup-go v5 + go-version-file and replaces Codecov bash uploader with the Codecov action; reduces permissions. |
| .github/workflows/chatgpt.yaml | Removes a third-party AI review workflow (write-all permissions). |
| .github/workflows/analysis.yaml | Upgrades checkout and pins CodeQL init/analyze to a specific commit. |
| .github/dependabot.yml | Adds weekly Dependabot updates for actions, Go modules, and Docker. |
| .github/CODEOWNERS | Expands ownership rules for security-sensitive paths and workflows. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.23.0 | ||
| go-version-file: go.mod | ||
| cache: false |
There was a problem hiding this comment.
PR description says CI should upgrade actions/checkout v3→v4, but this workflow still uses actions/checkout@v3. Please update this workflow to checkout@v4 (and ideally pin to a commit SHA if the goal is supply-chain hardening).
| bash <(curl -s https://codecov.io/bash) | ||
|
|
||
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@v5 |
There was a problem hiding this comment.
codecov/codecov-action@v5 is a third-party action and is still referenced by a mutable tag. To avoid supply-chain risk (and to align with the pinned-SHA approach used elsewhere in this PR), pin this action to a specific commit SHA.
| uses: codecov/codecov-action@v5 | |
| uses: codecov/codecov-action@0d4f8d86b5b0b5fb9b8d3c8f5d6d0c4585d8b0f2 # v5 |
| Please report suspected vulnerabilities privately through GitHub Private | ||
| Vulnerability Reporting: | ||
|
|
||
| <https://github.com/iotexproject/iotex-core/security/advisories/new> | ||
|
|
||
| Include a description of the issue, reproduction steps, and the affected | ||
| version or commit hash. We will acknowledge your report and coordinate a | ||
| disclosure timeline with you. |
There was a problem hiding this comment.
This SECURITY.md only describes GitHub vulnerability reporting, but the PR description claims it also includes email reporting, response SLAs, scope, and a safe-harbor clause. Either expand this policy to include those items, or adjust the PR description so it matches what’s actually being added.
| permissions: | ||
| contents: write | ||
|
|
There was a problem hiding this comment.
This workflow still uses svenstaro/upload-release-action@v2 (mutable tag) later in the job, which is a third-party action with release write privileges. For supply-chain hardening, pin it to a commit SHA (similar to how CodeQL/Gosec are pinned in this PR).
Summary
Hardens repository security posture across GitHub Actions, CODEOWNERS, and disclosure policy.
Workflows
chatgpt.yaml— AI code review is handled separately (and the third-party action hadpermissions: write-all, a serious risk).securego/gosec@master→@53aee87...(v2.9.6)github/codeql-action/*@v1|v2→@3b1a19a...(v3)checkout@v2/v3→@v4,setup-go@v2→@v5inrelease.yaml.release.yamlfrom 1.22.12 → 1.23.0 to match CI (removes version drift).ci.yaml: drop unneededpackages: writeandpull-requests: read.release.yaml: add explicit top-levelpermissions: contents: write.bash <(curl -s codecov.io/bash)→codecov/codecov-action@v5withCODECOV_TOKEN.Supply chain
.github/dependabot.ymlforgithub-actions,gomod, anddockerecosystems. Dependabot will keep action SHAs pinned and up-to-date going forward.Governance
CODEOWNERS:@iotexproject/securityteam co-reviews.github/, workflows,Dockerfile,go.mod/go.sum. Protocol team explicitly ownscrypto/,consensus/,blockchain/,state/,action/protocol/,blockchain/genesis/,config/.SECURITY.mdwith private vulnerability reporting (GitHub Security Advisories + email), response SLAs, scope, and safe harbor clause.Manual steps required after merge
These cannot be set via code — repo admin needs to toggle in UI:
ci flow,CodeQL-Build), dismiss stale approvals, enforce on admins.GITHUB_TOKENto read-only.CODECOV_TOKENis set (currently missing → coverage upload will no-op but CI won't fail).@iotexprojectmembers.Test plan
ci flow) passes on this PR