Background
PR #13 hardened the parent .github/workflows/act-validation.yml with:
permissions: contents: read
- Pinned
MARKDOWNLINT_CLI2_VERSION and MBAKE_VERSION environment variables
- SHA-256 checksum verification for the
act archive before extraction
The template file template/.github/workflows/act-validation.yml.jinja (rendered into generated projects) still lacks all three protections.
Issues
- No
permissions: declaration — the GITHUB_TOKEN defaults to read/write in generated repositories that have not explicitly restricted it.
- Unpinned tool versions —
markdownlint-cli2 and mbake are not pinned, creating a supply-chain risk for generated projects.
- No checksum verification — the
act archive is piped directly into tar without verifying its SHA-256 digest, allowing a compromised release asset to be executed silently.
Requested changes
- Add a top-level
permissions: contents: read block to template/.github/workflows/act-validation.yml.jinja.
- Introduce
MARKDOWNLINT_CLI2_VERSION and MBAKE_VERSION env vars at job level and use them in the install step.
- Replace the direct pipe to
tar with a download-then-verify-then-extract pattern matching the approach used in .github/workflows/act-validation.yml.
References
Background
PR #13 hardened the parent
.github/workflows/act-validation.ymlwith:permissions: contents: readMARKDOWNLINT_CLI2_VERSIONandMBAKE_VERSIONenvironment variablesactarchive before extractionThe template file
template/.github/workflows/act-validation.yml.jinja(rendered into generated projects) still lacks all three protections.Issues
permissions:declaration — the GITHUB_TOKEN defaults to read/write in generated repositories that have not explicitly restricted it.markdownlint-cli2andmbakeare not pinned, creating a supply-chain risk for generated projects.actarchive is piped directly intotarwithout verifying its SHA-256 digest, allowing a compromised release asset to be executed silently.Requested changes
permissions: contents: readblock totemplate/.github/workflows/act-validation.yml.jinja.MARKDOWNLINT_CLI2_VERSIONandMBAKE_VERSIONenv vars at job level and use them in the install step.tarwith a download-then-verify-then-extract pattern matching the approach used in.github/workflows/act-validation.yml.References