Skip to content

ci: harden GitHub Actions against supply chain attacks #1722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rodrigopavezi merged 4 commits into from
May 22, 2026
Merged

ci: harden GitHub Actions against supply chain attacks #1722

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3a79ddd
ci: harden GitHub Actions against supply chain attacks
rodrigopavezi May 14, 2026
a8e46ba
fix(ci): add issues: write permission to security-echidna workflow
rodrigopavezi May 14, 2026
20aa4dc
chore: re-trigger CI after Performance plan upgrade
MantisClone May 15, 2026
b212607
fix(ci): address PR review comments on supply chain hardening
rodrigopavezi May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/auto-project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
issues:
types: [opened]

permissions:
contents: read

jobs:
add-to-project:
uses: RequestNetwork/.github/.github/workflows/add-to-project.yml@main
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/auto_assign_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,8 @@ jobs:
add-reviews:
runs-on: ubuntu-latest
steps:
- uses: kentaro-m/auto-assign-action@v1.2.0
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- uses: kentaro-m/auto-assign-action@50ee9a1818bde2eb93a948448994a9d414457e3a # v1.2.0
4 changes: 4 additions & 0 deletions .github/workflows/pr-comments.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
pull_request_target:
types: [opened, ready_for_review, closed]

permissions:
contents: read
pull-requests: write

jobs:
pr-comments:
name: PR Comments
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/reopen-issue-if-prs-open.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
issues:
types: [closed]

permissions:
contents: read

jobs:
reopen-if-needed:
uses: RequestNetwork/.github/.github/workflows/reopen-issue-if-prs-open.yml@main
Expand Down
17 changes: 11 additions & 6 deletions .github/workflows/security-echidna.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ on:
permissions:
contents: read
pull-requests: write
issues: write

jobs:
echidna-fuzzing:
Expand All @@ -34,13 +35,17 @@ jobs:
timeout-minutes: 90

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
Comment thread
rodrigopavezi marked this conversation as resolved.
with:
node-version: '22'
cache: 'yarn'
Expand Down Expand Up @@ -82,7 +87,7 @@ jobs:
echidna --version

- name: Restore corpus cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: packages/smart-contracts/corpus
key: echidna-corpus-${{ github.ref_name }}-${{ github.sha }}
Expand Down Expand Up @@ -175,7 +180,7 @@ jobs:

- name: Upload Echidna reports
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: echidna-reports-${{ steps.mode.outputs.MODE }}
path: |
Expand All @@ -185,7 +190,7 @@ jobs:

- name: Comment on PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
Comment thread
rodrigopavezi marked this conversation as resolved.
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down Expand Up @@ -257,7 +262,7 @@ jobs:

- name: Create issue for nightly failures
if: github.event_name == 'schedule' && steps.echidna.outcome == 'failure'
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
16 changes: 10 additions & 6 deletions .github/workflows/security-slither.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,17 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
Comment thread
rodrigopavezi marked this conversation as resolved.
with:
node-version: '22'
cache: 'yarn'
Expand All @@ -48,7 +52,7 @@ jobs:
yarn build:sol

- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: '3.11'
cache: 'pip'
Expand Down Expand Up @@ -90,14 +94,14 @@ jobs:

- name: Upload SARIF to GitHub Security
if: always() && hashFiles('packages/smart-contracts/reports/security/slither.sarif') != ''
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4
Comment thread
rodrigopavezi marked this conversation as resolved.
Outdated
with:
sarif_file: packages/smart-contracts/reports/security/slither.sarif
category: slither

- name: Upload Slither reports
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: slither-reports
path: packages/smart-contracts/reports/security/
Expand Down Expand Up @@ -132,7 +136,7 @@ jobs:

- name: Comment on PR
if: github.event_name == 'pull_request' && always()
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
48 changes: 39 additions & 9 deletions .github/workflows/tron-smart-contracts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,26 +32,38 @@ on:
- 'packages/currency/src/chains/tron/**'
workflow_dispatch:

permissions:
contents: read

jobs:
tron-compile-check:
name: Tron Contract Compilation Check
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Install TronBox globally
run: npm install -g tronbox
Comment thread
rodrigopavezi marked this conversation as resolved.
Outdated

- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Compile Tron contracts
working-directory: packages/smart-contracts
Expand Down Expand Up @@ -134,17 +146,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Build dependencies
run: |
Expand All @@ -163,17 +184,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
cache: 'yarn'

- name: Setup Socket.dev
uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
with:
mode: firewall-free

- name: Install dependencies
run: yarn install --frozen-lockfile
run: sfw yarn install --frozen-lockfile

- name: Build smart-contracts package
run: |
Expand Down
Loading