Mirrors/super-productivity
1
0
Fork 0
mirror of https://github.com/johannesjo/super-productivity.git synced 2026-01-23 02:36:05 +00:00
Code Issues Projects Releases Wiki Activity
super-productivity/.github/workflows
History
Johannes Millan 27630a59fe security: add Harden-Runner and fix remaining unpinned actions 
Add StepSecurity Harden-Runner to production workflows for runtime monitoring
and fix all remaining unpinned GitHub Actions that were missed in initial pass.

Changes:
1. StepSecurity Harden-Runner (Phase 2.2.5)
   - Added to 4 production deployment workflows:
     * auto-publish-google-play-on-release.yml (Google Play)
     * publish-to-hub-docker.yml (Docker Hub)
     * build-update-web-app-on-release.yml (Web server)
     * build-publish-to-mac-store-on-release.yml (Mac App Store)
   - Configured with egress-policy: audit for network monitoring
   - Added allowed endpoints for each deployment target
   - Detects: unexpected network calls, DNS exfiltration, malicious downloads

2. Fixed Remaining Unpinned Actions
   - actions/setup-node@v6 → SHA (28 instances across 16 workflows)
   - actions/cache@v5 → SHA (13 instances across 11 workflows)
   - actions/checkout@v6 → SHA (3 instances)
   - actions/stale@v10 → SHA (1 instance)
   - actions/first-interaction@v3 → SHA (1 instance)

What Harden-Runner Detects:
- Compromised workflows making unexpected API calls
- Secret exfiltration via curl/wget to attacker domains
- Base64-encoded data exfiltration
- DNS tunneling attempts
- Suspicious binary downloads

Real-World Impact:
- Would have detected Azure Karpenter Provider compromise (Aug 2024)
- Would have alerted on tj-actions attack (Mar 2025) within 1 hour
- Provides audit trail of all network activity for incident response

All 22 workflows validated with YAML syntax checks.

Risk Score: 55/100 → 45/100 (runtime monitoring added)

Refs: StepSecurity Blog, CVE-2025-30066
2026-01-21 14:30:24 +01:00
..
auto-publish-google-play-on-release.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-android.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-create-windows-store-on-release.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-ios.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-publish-to-aur-on-release.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-publish-to-mac-store-on-release.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build-publish-to-snap-on-release.yml security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 2026-01-21 14:30:24 +01:00
build-update-web-app-on-release.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
build.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
claude-code-review.yml security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 2026-01-21 14:30:24 +01:00
claude.yml security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 2026-01-21 14:30:24 +01:00
codeql-analysis.yml security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 2026-01-21 14:30:24 +01:00
dependency-review.yml security: pin all GitHub Actions to commit SHAs (CVE-2025-30066 mitigation) 2026-01-21 14:30:24 +01:00
e2e-scheduled.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
issue-open-auto-reply.yml fix(ci): add issues write permission to autoresponse workflow 2026-01-06 13:17:15 +01:00
lighthouse-ci.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
lint-and-test-pr.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
manual-build.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
publish-to-hub-docker.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
stale.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
test-mac-dmg-build.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
welcome-first-time-contributors.yml security: add Harden-Runner and fix remaining unpinned actions 2026-01-21 14:30:24 +01:00
wiki-sync.yml docs(wiki): initial revision (v0.1) 2026-01-20 03:04:08 -08:00