Skip to content

ci: GitHub Actions hardening (Security audit remediation) #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Nov 28, 2025
Merged

ci: GitHub Actions hardening (Security audit remediation) #345

merged 9 commits into from
Nov 28, 2025
+147 −92

Conversation

@DennisDyallo
Copy link
Collaborator

@DennisDyallo DennisDyallo commented Nov 12, 2025
edited
Loading

This PR implements critical and high-priority security findings from the GitHub Actions security audit.

Findings addressed

Security hardening

Pin GitHub Actions by SHA Hash

  • Risk: Compromised builds, credential exfiltration, tampering of release artifacts
  • What was done: Pinned all 68 action references across 12 workflow files to immutable SHA hashes
  • Format: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
All Actions Pinned (9 Official + 5 Third-Party)

Official GitHub Actions:

Action Version SHA Hash
actions/checkout v5.0.0 ⬆️ 08c6903cd8c0fde910a37f88322edcfb5dd907a8
actions/setup-dotnet v4.3.1 67a3573c9a986a3f9c594539f4ab511d57bb3ce9
actions/upload-artifact v4.6.2 ea165f8d65b6e75b540449e92b4886f43607fa02
actions/download-artifact v4.3.0 d3f86a106a0bac45b974a628896c90dbdf5c8093
actions/attest-build-provenance v2.4.0 e8998f949152b193b063cb0ec769d69d929409be
actions/create-github-app-token v1.9.3 7bfa3a4717ef143a604ee0a99d859b8886a96d00
github/codeql-action/init v3.31.2 5d5cd550d3e189c569da8f16ea8de2d821c9bf7a
github/codeql-action/analyze v3.31.2 5d5cd550d3e189c569da8f16ea8de2d821c9bf7a
google-github-actions/auth v2.1.13 c200f3691d83b41bf9bbd8638997a462592937ed

Third-party actions:

Action Version SHA Hash
anthropics/claude-code-action v1.0.9 b6b711c5bc739d4aff5cada3c89016d7a63a60e3
danielpalme/ReportGenerator-GitHub-Action 5.2.4 3e39bd1b454c2bac14560547e4394f9317672705
EnricoMi/publish-unit-test-result-action v2.16.1 30eadd5010312f995f0d3b3cff7fe2984f69409e
irongut/CodeCoverageSummary v1.3.0 51cc3a756ddcd398d447c044c02cb6aa83fdae95
marocchino/sticky-pull-request-comment v2.9.0 331f8f5b4215f0445d3c07b4967662a32a2d3e31

Remove Clear-Text password storage

  • Risk: GitHub token written to disk in clear text; potential credential exposure
  • What was done: Removed all --store-password-in-clear-text flags from NuGet operations
  • Files affected:
    • .github/workflows/codeql-analysis.yml (line 66-68)
    • Other workflows now use NUGET_AUTH_TOKEN environment variable exclusively

Disable credential persistence in checkout actions (MEDIUM → COMPLETE)

  • Risk: Repository tokens persist on disk; potential credential exposure
  • What was done: Added persist-credentials: false to all 16 actions/checkout invocations
  • Pattern applied: 
    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
  with:
    persist-credentials: false

Security configuration & monitoring

Add GitHub Actions to Dependabot Configuration (MEDIUM → COMPLETE)

  • Risk: Outdated actions may contain security vulnerabilities
  • What was done: Added github-actions ecosystem to .github/dependabot.yml
  • Configuration: 
    - package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "monthly"
    day: "wednesday"
    time: "09:00"
    timezone: "Europe/Stockholm"
  groups:
    github-actions:
      patterns: ["*"]

Remove stale CodeQL configuration

  • Risk: Repository hygiene issue; CodeQL configuration warnings
  • What was done: Removed explicit languages: csharp specification (auto-detected by CodeQL)
  • File: .github/workflows/codeql-analysis.yml

Code quality improvements

Simplify nested if statements

  • Risk: Reduced code readability and increased cognitive load
  • What was done: Simplified nested if statements in KeyConverter.cs
  • File: Yubico.YubiKey/examples/PivSampleCode/Converters/KeyConverter.cs
  • Transformation: 
    // Before: Nested ifs
if (!string.Equals(eccParams.Curve.Oid.Value, OidP256, StringComparison.Ordinal))
{
    if (!string.Equals(eccParams.Curve.Oid.Value, OidP384, StringComparison.Ordinal))
    {
        return false;
    }
}

// After: Combined logical operators
if (!string.Equals(eccParams.Curve.Oid.Value, OidP256, StringComparison.Ordinal) &&
    !string.Equals(eccParams.Curve.Oid.Value, OidP384, StringComparison.Ordinal))
{
    return false;
}

Security impact summary

Finding Priority Status Impact
Pin Actions by SHA MEDIUM ✅ Complete Supply chain protection
Remove Clear-Text Passwords MEDIUM ✅ Complete Credential exposure eliminated
Disable Credential Persistence MEDIUM ✅ Complete Token leakage prevented
Add Dependabot Monitoring MEDIUM ✅ Complete Automated security updates
Clean CodeQL Config INFO ✅ Complete Reduced configuration drift
Simplify Nested Ifs LOW ✅ Complete Improved readability
Enhance CodeQL for Actions MEDIUM ✅ Complete Up to date CodeQL setup
Update SCP11 Docs LOW ✅ Complete Added valuable SCP examples

Files Changed (13 files)

Workflow Files (12):

.github/workflows/build.yml
.github/workflows/build-pull-requests.yml
.github/workflows/build-nativeshims.yml
.github/workflows/codeql-analysis.yml
.github/workflows/claude.yml
.github/workflows/deploy-docs.yml
.github/workflows/test.yml
.github/workflows/test-macos.yml
.github/workflows/test-ubuntu.yml
.github/workflows/test-windows.yml
.github/workflows/upload-docs.yml
.github/workflows/verify-code-style.yml

Configuration Files (1):

.github/dependabot.yml

Source Files (1):

Yubico.YubiKey/examples/PivSampleCode/Converters/KeyConverter.cs

Testing & Validation

Workflow testing:

  • All workflows validated for syntax
  • SHA hashes verified against official repositories via git ls-remote
  • No functional changes to workflow behavior
  • Credential handling patterns verified

Code testing:

  • Code builds without warnings
  • Unit tests pass
  • Code formatting verified

Automated maintenance

Dependabot will now:

  • Monitor all 68 pinned GitHub Actions monthly
  • Automatically create PRs with updated SHA hashes
  • Group all action updates together to reduce PR noise
  • No manual SHA lookup required for future updates

Statistics

  • 12 workflow files hardened
  • 68 action references SHA-pinned (9 official + 5 third-party)
  • 16 checkout actions protected with persist-credentials: false
  • 1 credential leak vector eliminated (CodeQL NuGet config)
  • 1 code quality improvement (KeyConverter.cs)

@DennisDyallo
ci: add GitHub Actions monitoring to Dependabot
49023d8 
Enables automated dependency updates for GitHub Actions to ensure
workflows use secure, up-to-date action versions. Updates will be
grouped and checked monthly on Wednesdays at 09:00 Stockholm time.
@DennisDyallo
ci: remove explicit language specification from CodeQL config
577023d 
CodeQL auto-detects languages from the repository. The explicit
languages: csharp specification is no longer needed and was flagged
as stale configuration by CodeQL.

ci: enable CodeQL scanning for GitHub Actions workflows

Adds workflow YAML files to CodeQL analysis triggers to scan for
security issues in GitHub Actions workflows, including hardcoded
secrets, injection vulnerabilities, and other action-specific risks.
@DennisDyallo
security: remove clear-text password storage in CodeQL workflow
49eda27 
Replaces manual dotnet nuget add source with --store-password-in-clear-text
flag with secure actions/setup-dotnet configuration using NUGET_AUTH_TOKEN
environment variable. Credentials are now handled securely without writing
to disk in clear text.

security: remove clear-text password storage in PR build workflow

Removes manual dotnet nuget add source with --store-password-in-clear-text
and configures source-url in setup-dotnet action with secure NUGET_AUTH_TOKEN
environment variable instead.

security: remove clear-text password storage in build workflow

Removes all instances of dotnet nuget add source with --store-password-in-clear-text
flag. Configures source-url in setup-dotnet action with secure NUGET_AUTH_TOKEN
environment variable for both build and publish operations.
@DennisDyallo
security: disable credential persistence in checkout actions
b7fb35c
@DennisDyallo
refactor: simplify nested if statements in KeyConverter
5b73ac4 
Combines nested if conditions into single logical AND expression for
improved readability and reduced cognitive load. Behavior remains
unchanged - validates ECC parameters are either P256 or P384.
@DennisDyallo
ci: update actions, using SHA pinning
16d31ab 
Upgraded GitHub Actions to latest verified versions across workflows, ensuring enhanced security and compatibility.
@DennisDyallo DennisDyallo changed the title Pin GitHub Actions to SHA Hashes for Supply Chain Security security: Security Audit Remediation: GitHub Actions Hardening Nov 12, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025
edited
Loading

Test Results: Windows

    2 files      2 suites   16s ⏱️
4 027 tests 4 008 ✅ 19 💤 0 ❌
4 029 runs  4 010 ✅ 19 💤 0 ❌

Results for commit e0203d1.

♻️ This comment has been updated with latest results.

@DennisDyallo DennisDyallo changed the title security: Security Audit Remediation: GitHub Actions Hardening ci: GitHub Actions hardening (Security audit remediation) Nov 12, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025
edited
Loading

Test Results: Ubuntu

    2 files      2 suites   50s ⏱️
4 019 tests 4 000 ✅ 19 💤 0 ❌
4 021 runs  4 002 ✅ 19 💤 0 ❌

Results for commit e0203d1.

♻️ This comment has been updated with latest results.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025
edited
Loading

Test Results: MacOS

    4 files      4 suites   30s ⏱️
4 001 tests 4 001 ✅ 0 💤 0 ❌
4 003 runs  4 003 ✅ 0 💤 0 ❌

Results for commit e0203d1.

♻️ This comment has been updated with latest results.

@DennisDyallo
ci: specify C# language for CodeQL analysis
80393ad 
Overrides automatic language detection in CodeQL workflow to analyze only C#. Excludes C/C++ code requiring separate build configurations.
@DennisDyallo DennisDyallo marked this pull request as ready for review November 17, 2025 10:22
stephan-huckenholz
stephan-huckenholz reviewed Nov 21, 2025
View reviewed changes
Copy link

@stephan-huckenholz stephan-huckenholz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

stephan-huckenholz
stephan-huckenholz approved these changes Nov 27, 2025
View reviewed changes
Copy link

@stephan-huckenholz stephan-huckenholz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

Code Coverage

Package Line Rate Branch Rate Complexity Health
Yubico.Core 45% 35% 4557
Yubico.YubiKey 51% 47% 21111
Summary 50% (37248 / 74769) 45% (9080 / 20289) 25668

Minimum allowed line rate is 40%

@DennisDyallo DennisDyallo merged commit 010804d into develop Nov 28, 2025
18 checks passed
@DennisDyallo DennisDyallo deleted the dennisdyallo/fix-audit-issues branch November 28, 2025 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephan-huckenholz stephan-huckenholz stephan-huckenholz approved these changes

@oskardanielsson-yubico oskardanielsson-yubico Awaiting requested review from oskardanielsson-yubico

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DennisDyallo @stephan-huckenholz