Skip to content

Pin actions and limit token scope in GitHub CI#2797

Merged
jstone-lucasfilm merged 1 commit intoAcademySoftwareFoundation:mainfrom
jstone-lucasfilm:dev_github_ci
Mar 3, 2026
Merged

Pin actions and limit token scope in GitHub CI#2797
jstone-lucasfilm merged 1 commit intoAcademySoftwareFoundation:mainfrom
jstone-lucasfilm:dev_github_ci

Conversation

@jstone-lucasfilm
Copy link
Member

@jstone-lucasfilm jstone-lucasfilm commented Mar 3, 2026

This changelist improves the security of GitHub CI workflows with two updates:

  • Pin third-party GitHub Actions to specific commit SHAs in both main.yml and release.yml, so that builds always reference exact, immutable versions of each action.
  • Add a top-level permissions: contents: read block to main.yml, restricting the workflow token to read-only access across all jobs.

@jstone-lucasfilm
Pin actions and limit token scope in GitHub CI
36da011 
This changelist improves the security of GitHub CI workflows with two updates:

- Pin third-party GitHub Actions to specific commit SHAs in both main.yml and release.yml, so that builds always reference exact, immutable versions of each action.
- Add a top-level `permissions: contents: read` block to main.yml, restricting the workflow token to read-only access across all jobs.
@jstone-lucasfilm jstone-lucasfilm merged commit 9875175 into AcademySoftwareFoundation:main Mar 3, 2026
33 checks passed
@jstone-lucasfilm jstone-lucasfilm deleted the dev_github_ci branch March 3, 2026 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jstone-lucasfilm