chore(ci): harden workflows for OpenSSF Scorecard#67
Merged
Conversation
- Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload.
Contributor
Deploying xsltdebugx with
|
| Latest commit: |
bb49a14
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://58d8e47a.xsltdebugx.pages.dev |
| Branch Preview URL: | https://chore-scorecard-harden-workf.xsltdebugx.pages.dev |
linusdevx
added a commit
that referenced
this pull request
Jun 23, 2026
) * chore(dependabot): target dev, ignore major bumps After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules * fix(editor): handle --!> when stripping XML comment markers The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing. * chore(ci): harden workflows for OpenSSF Scorecard (#67) - Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload.
linusdevx
added a commit
that referenced
this pull request
Jun 23, 2026
* chore(dependabot): target dev, ignore major bumps After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules * fix(editor): handle --!> when stripping XML comment markers The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing. * chore(ci): harden workflows for OpenSSF Scorecard (#67) - Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload. * chore(deps): bump the actions-minor-and-patch group with 2 updates (#69) Bumps the actions-minor-and-patch group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 4.2.2 to 4.3.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...34e1148) Updates `actions/upload-artifact` from 4.4.3 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b4b15b8...ea165f8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @playwright/test (#64) Bumps the dev-minor-and-patch group with 1 update in the / directory: [@playwright/test](https://github.com/microsoft/playwright). Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(security): add SRI integrity to CDN-loaded scripts (#70) Adds sha384 integrity hashes and crossorigin=anonymous to the three CDN-hosted dependencies in index.html: - pako@2.1.0 (compression for share URLs) - lucide@1.14.0 (icon library) - monaco-editor@0.44.0 loader Mitigates the supply-chain risk of a tampered CDN response — the browser refuses to execute any script whose content doesn't match the hash. Resolves the only real CodeQL alert (js/functionality-from-untrusted-source) on index.html:51-53. Maintenance note: each version bump now requires regenerating the hash: curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Targets the two biggest Scorecard penalties on this repo:
Token-Permissions (0/10 → 10/10): Adds top-level
permissions: contents: readtocodeql.ymlande2e-tests.yml.scorecard.ymlalready hadpermissions: read-all. CodeQL's per-job permissions block is preserved — it widens the top-level default to grantsecurity-events: writefor SARIF upload.Pinned-Dependencies (2/10 → 10/10): Pins every GitHub Action to a full commit SHA, with the version as a trailing comment for human readability.
While pinning, bumps to current stable versions:
actions/checkoutactions/setup-nodeactions/upload-artifactgithub/codeql-action(init/analyze/upload-sarif)ossf/scorecard-actionExpected to move the overall score from 6.2 → ~8.x. Remaining low scores (Code-Review, Branch-Protection) require repo settings changes (branch protection rules requiring PR approvals), not file changes.
Verification
python -c 'yaml.safe_load(...)')uses:refs and a new top-levelpermissions:block