mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-01-23 02:36:05 +00:00
27630a59fe
Add StepSecurity Harden-Runner to production workflows for runtime monitoring
and fix all remaining unpinned GitHub Actions that were missed in initial pass.
Changes:
1. StepSecurity Harden-Runner (Phase 2.2.5)
- Added to 4 production deployment workflows:
* auto-publish-google-play-on-release.yml (Google Play)
* publish-to-hub-docker.yml (Docker Hub)
* build-update-web-app-on-release.yml (Web server)
* build-publish-to-mac-store-on-release.yml (Mac App Store)
- Configured with egress-policy: audit for network monitoring
- Added allowed endpoints for each deployment target
- Detects: unexpected network calls, DNS exfiltration, malicious downloads
2. Fixed Remaining Unpinned Actions
- actions/setup-node@v6 → SHA (28 instances across 16 workflows)
- actions/cache@v5 → SHA (13 instances across 11 workflows)
- actions/checkout@v6 → SHA (3 instances)
- actions/stale@v10 → SHA (1 instance)
- actions/first-interaction@v3 → SHA (1 instance)
What Harden-Runner Detects:
- Compromised workflows making unexpected API calls
- Secret exfiltration via curl/wget to attacker domains
- Base64-encoded data exfiltration
- DNS tunneling attempts
- Suspicious binary downloads
Real-World Impact:
- Would have detected Azure Karpenter Provider compromise (Aug 2024)
- Would have alerted on tj-actions attack (Mar 2025) within 1 hour
- Provides audit trail of all network activity for incident response
All 22 workflows validated with YAML syntax checks.
Risk Score: 55/100 → 45/100 (runtime monitoring added)
Refs: StepSecurity Blog, CVE-2025-30066
36 lines
1.1 KiB
YAML
36 lines
1.1 KiB
YAML
name: Welcome first time contributors
|
|
|
|
on:
|
|
pull_request_target:
|
|
types:
|
|
- opened
|
|
issues:
|
|
types:
|
|
- opened
|
|
|
|
permissions:
|
|
issues: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
welcome:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3
|
|
with:
|
|
repo_token: ${{ secrets.GITHUB_TOKEN }}
|
|
issue_message: |
|
|
Hello there ${{ github.actor }}! 👋
|
|
|
|
Thank you and congratulations 🎉 for opening your very first issue in this project! 💖
|
|
|
|
In case you want to work on this issue, please comment down below! We will try to get back to you as soon as we can. 👀
|
|
|
|
For more open ended discussions and/or specific questions, please visit the [discussions page](https://github.com/super-productivity/super-productivity/discussions). 💖
|
|
|
|
pr_message: |
|
|
Hello there ${{ github.actor }}! 👋
|
|
|
|
Thank you and congrats 🎉 for opening your first PR on this project! ✨ 💖
|
|
|
|
We will try to review it soon!
|