Skip to content

Harden CI workflow and modernize OTP/runner matrix#15

Merged
lixen-wg2 merged 2 commits into
mainfrom
harden_ci_workflow
Jun 2, 2026
Merged

Harden CI workflow and modernize OTP/runner matrix#15
lixen-wg2 merged 2 commits into
mainfrom
harden_ci_workflow

Conversation

@lixen-wg2

@lixen-wg2 lixen-wg2 commented Jun 2, 2026

Copy link
Copy Markdown

Summary

Hardens .github/workflows/main.yml based on a security scan and modernizes the OTP / runner matrix.

Security changes (address scanner findings)

Finding Resolution
Outdated actions/checkout@v2 Bumped to v6.0.2, SHA-pinned
Critical codecov/codecov-action@v2 (CVE-2022-1681 era) Bumped to v6.0.1, SHA-pinned; file: -> files: input rename
Unpinned mutable tags on all actions Every action now SHA-pinned with a trailing # vX.Y.Z comment

Additional security hardening (not in the report but related):

  • Top-level permissions: contents: read for least-privilege GITHUB_TOKEN.
  • actions/cache@v2 (also deprecated) bumped to v5.0.5, SHA-pinned.
  • actions/setup-go@v4 bumped to v6.4.0, SHA-pinned.
  • erlef/setup-beam@v1 bumped to v1.24.0, SHA-pinned.
  • New .github/dependabot.yml enables weekly github-actions updates so SHA pins don't bit-rot. Dependabot understands the # vX.Y.Z trailing comment convention and updates both the SHA and the comment.

Modernization (unrelated to the scan, requested in the same change)

  • Runner: ubuntu-20.04 -> ubuntu-24.04. GitHub removed the ubuntu-20.04 hosted runner in April 2025, so the workflow would currently fail to schedule.
  • OTP matrix (build job): ['26.0', '25.2.3', '24.1.2', '23.3'] -> ['28', '27', '26']. OTP 23 / 24 / 25 are EOL upstream; the remaining majors are the currently supported ones. Loose version specs now resolve to the latest patch of each major.
  • OTP version (dialyzer job): '26.0' -> '28'. Dropped version-type: 'strict' since it requires an exact patch version.
  • rebar3 bumped to 3.27.0 in both jobs (was 3.20.0 / 3.22.1).

Caveats / things to watch on this PR

  • This PR's CI run is the first time the project is tested on OTP 27 and 28. New compiler warnings or dialyzer findings may surface.
  • If the project still claims to support OTP 23 / 24 / 25 for downstream users, that's no longer covered by CI. I didn't find a documented minimum OTP version in README.md or rebar.config.
  • Codecov upload: codecov-action@v6 works tokenless on public repos. No CODECOV_TOKEN is needed for this repo.

Files changed

  • .github/workflows/main.yml — all of the above
  • .github/dependabot.yml — new, weekly github-actions updates

Co-authored by Augment Code

lixen-wg2 added 2 commits June 2, 2026 09:02
@lixen-wg2
Harden CI workflow and modernize OTP/runner matrix
db7cd82 
Addresses findings from a security scan of .github/workflows/main.yml:

- Pin every GitHub Action to a full commit SHA (with version comment)
  to mitigate mutable-tag supply-chain risk
- Upgrade outdated/vulnerable actions:
  * actions/checkout v2 -> v6.0.2
  * actions/cache v2 -> v5.0.5
  * codecov/codecov-action v2 -> v6.0.1 (was subject to CVE-2022-1681)
  * actions/setup-go v4 -> v6.4.0
  * erlef/setup-beam v1 -> v1.24.0
- Add top-level permissions: contents: read for least-privilege
  GITHUB_TOKEN
- Rename Codecov input file: -> files: (required by codecov-action v4+)
- Add .github/dependabot.yml for weekly github-actions updates so SHA
  pins stay current

Unrelated modernization in the same workflow:

- Switch runner from ubuntu-20.04 (removed from GitHub-hosted runners
  in April 2025) to ubuntu-24.04
- Update OTP matrix to currently supported majors (26, 27, 28); drops
  EOL 23.3, 24.1.2, 25.2.3
- Bump rebar3 to 3.27.0 in both jobs
- Drop version-type: strict on the dialyzer setup-beam step (no longer
  compatible with loose major-only version spec)
@lixen-wg2
Fix dialyzer warnings for unset interval fields
59968ae 
The refresh_interval and idle_interval record fields in #data{} are
declared but never assigned, so they default to undefined. Allow
undefined in the type spec to match the runtime reality, consistent
with other optional fields in the same records.
@lixen-wg2 lixen-wg2 merged commit 5dd198d into main Jun 2, 2026
1 of 4 checks passed
@lixen-wg2 lixen-wg2 deleted the harden_ci_workflow branch June 2, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wmnsk wmnsk wmnsk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lixen-wg2 @wmnsk