Skip to content

Harden template act-validation workflow: add permissions, pin tool versions, verify act checksum #14

Description

@coderabbitai

Background

PR #13 hardened the parent .github/workflows/act-validation.yml with:

  • permissions: contents: read
  • Pinned MARKDOWNLINT_CLI2_VERSION and MBAKE_VERSION environment variables
  • SHA-256 checksum verification for the act archive before extraction

The template file template/.github/workflows/act-validation.yml.jinja (rendered into generated projects) still lacks all three protections.

Issues

  1. No permissions: declaration — the GITHUB_TOKEN defaults to read/write in generated repositories that have not explicitly restricted it.
  2. Unpinned tool versionsmarkdownlint-cli2 and mbake are not pinned, creating a supply-chain risk for generated projects.
  3. No checksum verification — the act archive is piped directly into tar without verifying its SHA-256 digest, allowing a compromised release asset to be executed silently.

Requested changes

  • Add a top-level permissions: contents: read block to template/.github/workflows/act-validation.yml.jinja.
  • Introduce MARKDOWNLINT_CLI2_VERSION and MBAKE_VERSION env vars at job level and use them in the install step.
  • Replace the direct pipe to tar with a download-then-verify-then-extract pattern matching the approach used in .github/workflows/act-validation.yml.

References

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions