Skip to content

[codex] Harden GitHub Actions permissions#27

Open
jbeckwith-oai wants to merge 1 commit into
mainfrom
codex/harden-github-actions
Open

[codex] Harden GitHub Actions permissions#27
jbeckwith-oai wants to merge 1 commit into
mainfrom
codex/harden-github-actions

Conversation

@jbeckwith-oai

@jbeckwith-oai jbeckwith-oai commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Harden the GitHub Actions configuration based on the workflow security audit:

  • Set explicit read-only default GITHUB_TOKEN permissions for CI.
  • Remove unnecessary checkout and contents: write from the release-creation dispatcher.
  • Configure Stainless private-module git access through Git's GIT_CONFIG_* environment variables instead of writing credentials to runner home config.
  • Pass branch-derived values through environment variables before shell use.
  • Stop tracing artifact-upload commands and remove verbose curl output that could expose OIDC tokens or signed upload URLs.

Validation

  • actionlint
  • bash -n scripts/utils/upload-artifact.sh
  • YAML parse check for all workflow/composite action files
  • SHA-pin scan for external uses: references
  • git diff --check
  • Fake-token git rewrite probe for the GIT_CONFIG_* URL rewrite

Notes

All external GitHub Actions references remain pinned to full commit SHAs.

@jbeckwith-oai jbeckwith-oai force-pushed the codex/harden-github-actions branch from c3ea699 to 68b6fd4 Compare July 14, 2026 20:56
@jbeckwith-oai jbeckwith-oai marked this pull request as ready for review July 14, 2026 21:02
@jbeckwith-oai jbeckwith-oai requested a review from a team as a code owner July 14, 2026 21:02

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 68b6fd4963

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/utils/upload-artifact.sh Outdated
@jbeckwith-oai jbeckwith-oai force-pushed the codex/harden-github-actions branch from 68b6fd4 to 582d8e4 Compare July 14, 2026 21:26

@HAYDEN-OAI HAYDEN-OAI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice hardening pass. i checked the workflow trust boundaries, token scopes, stainless git runtime config, action sha pins, and the upload path; the earlier exact-200 issue is fixed at this head. looks good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants