Harden security of GitHub Actions CI/CD

[brycx]

Brian Smith has done some pretty interesting investigations into the default security of GitHub Actions at briansmith/untrusted#50 and how to harden these. I'd like for us to re-trace some (if not all) of the steps there and see which can be implemented for our CI/CD.

I was surprised to see that default permissions for GitHub Actions are read+write for a repository. We should be able to change this to read-only without breaking the current CI/CD.

The official GitHub documentation for this: https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions

Eg. setting read-only for an Action:

name: action

permissions:
  contents: read

TODO:

• Delete the stored token once the changes are applied and if it's not used anymore

[vlmutolo]

Just recording a tentative todo list here:

• Make GitHub token read-only
• Pin actions by their sha1 hash (ideal) or by their git version tags
  • Maybe we should fail CI tests if the sha1 hash doesn't match that of the latest release
• Try to remove codecov token entirely

[vlmutolo]

So I'm thinking that it's probably going overboard to fail CI if there's a new release in one of our actions. We only really care if there's a new release when there's a security vulnerability. For Rust dependencies, we rely on cargo-audit, but I'm not sure if there's something similar we can do for our actions.

Thoughts?

[brycx]

Yeah, failing CI seems a bit overboard.

I've found the following docs: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot#enabling-dependabot-version-updates-for-actions

So we should actually be able to easily check for updates to the actions via. Dependabot. We simply have to add the additional parameters to the dependabot.yml file. This way we won't fail the CI, but instead receive PRs from Dependabot like with our other dependencies. The way I read the introduction, it should also be able to check for actions pinned by commit hashes.

Seems like a good approach, anything I'm missing?

[brycx]

Also, nice with the added todo-list, for things that can't really be tracked with commits.

[vlmutolo]

I'll read up on dependabot. Seems like a good solution.

[brycx]

Try to remove codecov token entirely

We'll have to remember to delete the stored token once the changes are applied and it's not used at all anymore.

[brycx]

Re-opening due to remaining TODO and PR #232