addons icon indicating copy to clipboard operation
addons copied to clipboard
verified publisher icon mozilla

[Task]: Make github actions more secure

Open KevinMind opened this issue 1 year ago • 1 comments

Description

Based on a great analysis there are a few recommendations we should consider for our repositor(ies)y.

Acceptance Criteria

### Milestones/checkpoints
- [ ] verify dependabot from event.<event>.user instead of event.actor
- [ ] add ossf scorecard scanning tool for our repos to detect unsafe workflows
- [ ] analyze our supply chain and ensure we are only using highly trusted sources (most is our own code and mozilla limits what we can use already but doesn't hurt
- [ ] Drop default permissions globally and only request appropriate permissions where needed

Checks

  • [x] If I have identified that the work is specific to a repository, I have removed "repository:addons-server" or "repository:addons-frontend"

┆Issue is synchronized with this Jira Task

KevinMind avatar Jan 29 '25 08:01 KevinMind

(might want to move this to a better epic later)

diox avatar Feb 18 '25 14:02 diox

I'd also recommend checking out Zizmor

bkochendorfer avatar Apr 25 '25 21:04 bkochendorfer

we also added guidance regarding docker image security

fkiriakos07 avatar Apr 28 '25 08:04 fkiriakos07

We should consider adding sanitization to inputs. Generally speaking I don't think we ever expect inputs to be anything other than static strings so we could sanitize everything.

Though I'm not sure to what extent actions already does this..

KevinMind avatar Apr 28 '25 14:04 KevinMind