Skip to content

Commit 9875175

Browse files
Pin actions and limit token scope in GitHub CI (#2797)
This changelist improves the security of GitHub CI workflows with two updates: - Pin third-party GitHub Actions to specific commit SHAs in both main.yml and release.yml, so that builds always reference exact, immutable versions of each action. - Add a top-level `permissions: contents: read` block to main.yml, restricting the workflow token to read-only access across all jobs.
1 parent 68a94a2 commit 9875175

2 files changed

Lines changed: 26 additions & 23 deletions

File tree

.github/workflows/main.yml

Lines changed: 24 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
- cron: '30 10 * * *'
99
workflow_dispatch:
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215

1316
build:
@@ -130,7 +133,7 @@ jobs:
130133

131134
steps:
132135
- name: Sync Repository
133-
uses: actions/checkout@v4
136+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
134137
with:
135138
submodules: recursive
136139

@@ -180,7 +183,7 @@ jobs:
180183
181184
- name: Install Python ${{ matrix.python }}
182185
if: matrix.python != 'None'
183-
uses: actions/setup-python@v5
186+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
184187
with:
185188
python-version: ${{ matrix.python }}
186189
architecture: ${{ matrix.architecture }}
@@ -322,48 +325,48 @@ jobs:
322325

323326
- name: Upload Installed Package
324327
if: matrix.python != 'None'
325-
uses: actions/upload-artifact@v4
328+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
326329
with:
327330
name: MaterialX_${{ matrix.name }}
328331
path: build/installed/
329332

330333
- name: Upload Formatted Source
331334
if: matrix.clang_format == 'ON'
332-
uses: actions/upload-artifact@v4
335+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
333336
with:
334337
name: MaterialX_ClangFormat
335338
path: source
336339

337340
- name: Upload Reference Shaders
338-
uses: actions/upload-artifact@v4
341+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
339342
if: matrix.upload_shaders == 'ON'
340343
with:
341344
name: MaterialX_ReferenceShaders
342345
path: build/bin/reference/
343346

344347
- name: Upload Renders
345-
uses: actions/upload-artifact@v4
348+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
346349
if: matrix.test_render == 'ON'
347350
with:
348351
name: Renders_${{ matrix.name }}
349352
path: build/render/*.png
350353

351354
- name: Upload Resources (MacOS)
352-
uses: actions/upload-artifact@v4
355+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
353356
if: matrix.test_render == 'ON' && runner.os == 'macOS'
354357
with:
355358
name: Resources_${{ matrix.name }}
356359
path: build/bin/resources
357360

358361
- name: Upload Coverage Report
359-
uses: actions/upload-artifact@v4
362+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
360363
if: matrix.coverage_analysis == 'ON'
361364
with:
362365
name: MaterialX_Coverage
363366
path: build/coverage
364367

365368
- name: Upload Perfetto Traces
366-
uses: actions/upload-artifact@v4
369+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
367370
if: matrix.extended_build_perfetto == 'ON' && env.IS_EXTENDED_BUILD == 'true'
368371
with:
369372
name: Traces_${{ matrix.name }}
@@ -376,7 +379,7 @@ jobs:
376379

377380
steps:
378381
- name: Sync Repository
379-
uses: actions/checkout@v4
382+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
380383

381384
- name: Install Emscripten
382385
run: |
@@ -388,7 +391,7 @@ jobs:
388391
echo "EMSDK=$EMSDK" >> $GITHUB_ENV
389392
390393
- name: Install Node
391-
uses: actions/setup-node@v4
394+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
392395
with:
393396
node-version: '22.16.0'
394397

@@ -420,7 +423,7 @@ jobs:
420423
single-commit: true
421424

422425
- name: Upload JavaScript Package
423-
uses: actions/upload-artifact@v4
426+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
424427
with:
425428
name: MaterialX_JavaScript
426429
path: javascript/build/installed/JavaScript/MaterialX
@@ -434,10 +437,10 @@ jobs:
434437

435438
steps:
436439
- name: Sync Repository
437-
uses: actions/checkout@v4
440+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
438441

439442
- name: Install Python
440-
uses: actions/setup-python@v5
443+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
441444
with:
442445
python-version: 3.11
443446

@@ -449,7 +452,7 @@ jobs:
449452
echo "filename=$(ls dist)" >> "$GITHUB_OUTPUT"
450453
451454
- name: Upload SDist
452-
uses: actions/upload-artifact@v4
455+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
453456
with:
454457
name: MaterialX_Python_SDist
455458
path: dist/*.tar.gz
@@ -467,25 +470,25 @@ jobs:
467470

468471
steps:
469472
- name: Sync Repository
470-
uses: actions/checkout@v4
473+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
471474

472475
- name: Install Python 3.${{ matrix.python-minor }}
473-
uses: actions/setup-python@v5
476+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
474477
with:
475478
python-version: 3.${{ matrix.python-minor }}
476479

477480
- name: Download Sdist
478-
uses: actions/download-artifact@v4
481+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
479482
with:
480483
name: MaterialX_Python_SDist
481484
path: sdist
482485

483486
- name: Install Doxygen (Windows)
484-
uses: ssciwr/doxygen-install@v1
487+
uses: ssciwr/doxygen-install@f13be1686235deee0aeb6cdf56640170691dc96b # v1
485488
if: runner.os == 'Windows'
486489

487490
- name: Build Wheel
488-
uses: pypa/cibuildwheel@v2.23.2
491+
uses: pypa/cibuildwheel@6a41245b42fcb325223b8793746f10456ed07436 # v2.23.2
489492
with:
490493
package-dir: ${{ github.workspace }}/sdist/${{ needs.sdist.outputs.sdist_filename }}
491494
env:
@@ -509,7 +512,7 @@ jobs:
509512
working-directory: python
510513

511514
- name: Upload Wheel
512-
uses: actions/upload-artifact@v4
515+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
513516
with:
514517
name: MaterialX_Python_Wheel_${{ runner.os }}_3_${{ matrix.python-minor }}
515518
path: wheelhouse/*.whl

.github/workflows/release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121

2222
steps:
2323
- name: Sync Repository
24-
uses: actions/checkout@v4
24+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2525
with:
2626
submodules: recursive
2727

@@ -34,7 +34,7 @@ jobs:
3434
git archive --prefix ${MATERIALX_ARCHIVE}/ --output ${MATERIALX_ARCHIVE}.tar.gz ${RELEASE_TAG}
3535
3636
- name: Sign and Upload Archives
37-
uses: sigstore/gh-action-sigstore-python@v3.0.0
37+
uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0
3838
with:
3939
inputs: |
4040
${{ env.MATERIALX_ARCHIVE }}.zip

0 commit comments

Comments
 (0)