chore(ci): pin actions to SHAs and add permissions blocks

[cfdude]

Summary

• Pin all GitHub Actions to commit SHAs for supply chain security
• Add explicit permissions: contents: read blocks to restrict GITHUB_TOKEN scope
• Addresses CodeQL actions/unpinned-tag and actions/missing-workflow-permissions alerts

Test plan

• Verify CI workflows still pass with pinned SHAs
• Verify CodeQL alerts are resolved after merge

[claude]

Code Review: Security Hardening for GitHub Actions

Thank you for this important security improvement! This PR addresses supply chain security concerns by pinning GitHub Actions to commit SHAs and adding explicit permissions blocks. Here's my comprehensive review:

---

✅ Strengths

1. Security Best Practices

• SHA Pinning: All major actions are now pinned to commit SHAs, preventing tag-rewriting attacks and supply chain compromises
• Explicit Permissions: Added permissions: contents: read at workflow level, following the principle of least privilege
• CodeQL Compliance: Directly addresses CodeQL security alerts (actions/unpinned-tag and actions/missing-workflow-permissions)

2. Code Quality

• Inline Comments: SHA hashes include version comments (e.g., # v4), making it easy to track which version each SHA represents
• Comprehensive Coverage: All 4 workflow files updated consistently
• Clean Commit: Single, well-structured commit with clear message following conventional commits format

3. Documentation

• PR Description: Clear summary and test plan
• Commit Message: Detailed explanation of changes and rationale

---

⚠️ Issues Found

1. Critical: Incomplete SHA Pinning 🔴

Location: .github/workflows/security.yml:25

- name: Run Gitleaks
  uses: gitleaks/gitleaks-action@v2  # ⚠️ NOT PINNED

Impact: This leaves a vulnerability where the gitleaks-action@v2 tag could be modified by an attacker, undermining the security improvements.

Recommendation: Pin to the latest v2 commit SHA:

uses: gitleaks/gitleaks-action@12345678901234567890123456789012345678  # v2

2. Potential Issue: SHA Verification

The PR doesn't include verification that the SHA hashes correspond to the claimed versions. While the inline comments say # v4 and # v5, it's important to verify these are the correct SHAs.

Recommendation: Before merging, verify each SHA:

• actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 = v4?
• actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 = v5?
• actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 = v4?

You can verify using:

gh api repos/actions/checkout/git/ref/tags/v4

3. Enhancement: Anthropic Action Not Pinned

Location: .github/workflows/claude.yml:39 and .github/workflows/claude-code-review.yml:41

uses: anthropics/claude-code-action@v1  # ⚠️ NOT PINNED

Impact: Lower risk since it's a first-party action from Anthropic, but for consistency and maximum security, should also be pinned.

Recommendation: Pin the anthropics/claude-code-action to a specific commit SHA.

---

📊 Security Analysis

Supply Chain Attack Surface

Action	Before	After	Status
actions/checkout	Tag-based (@v4)	SHA-pinned	✅ Secured
actions/setup-python	Tag-based (@v5)	SHA-pinned	✅ Secured
actions/setup-node	Tag-based (@v4)	SHA-pinned	✅ Secured
gitleaks/gitleaks-action	Tag-based (@v2)	Tag-based (@v2)	❌ Still Vulnerable
anthropics/claude-code-action	Tag-based (@v1)	Tag-based (@v1)	⚠️ Should Pin

Permissions Hardening

✅ All workflows now have explicit permissions: contents: read at workflow level
✅ Job-level permissions remain intact where needed (e.g., claude.yml job has expanded permissions)
✅ Follows principle of least privilege

---

🎯 Performance Considerations

Impact: None. SHA-pinned actions perform identically to tag-based actions.

Maintenance: SHA pinning requires updating SHAs when you want to upgrade action versions, rather than just changing tags. Consider using Dependabot or Renovate to automate this:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

---

🧪 Test Coverage

Current Test Plan: "Verify CI workflows still pass with pinned SHAs"

Recommendation: Enhance test plan to include:

1. ✅ All CI workflows pass
2. ✅ CodeQL alerts are resolved
3. ✅ No new security alerts introduced
4. ✅ Permissions are restrictive enough (workflows don't fail due to missing permissions)

---

📝 Recommendations

Must-Fix Before Merge:

1. 🔴 Pin gitleaks/gitleaks-action@v2 to a specific commit SHA
2. 🔴 Verify SHA hashes correspond to the claimed versions

Should-Fix:

3. 🟡 Pin anthropics/claude-code-action@v1 for consistency
4. 🟡 Add Dependabot configuration to automate SHA updates

Nice-to-Have:

5. 🟢 Add a comment explaining the security rationale in one of the workflow files
6. 🟢 Document the SHA verification process in CONTRIBUTING.md

---

🎓 Learning & Best Practices

This PR demonstrates excellent security hygiene. For context on why SHA pinning matters:

• Tag Rewriting: Git tags are mutable. An attacker with access to an action repository can rewrite a tag (e.g., v4) to point to malicious code
• Supply Chain Attacks: Recent examples include the codecov-action and SolarWinds supply chain compromises
• Defense-in-Depth: Even trusted actions can be compromised; SHA pinning provides an immutable reference

---

✅ Approval Recommendation

Status: Approve with Changes ✋

This PR significantly improves security posture. However, the incomplete pinning of gitleaks-action must be addressed before merge to fully achieve the stated security goals.

Once fixed:

• ✅ Excellent security improvement
• ✅ Well-documented and tested
• ✅ Follows best practices
• ✅ Ready to merge

---

Great work on prioritizing security! Let me know if you'd like help finding the correct SHA for the gitleaks action or if you have questions about any of these recommendations.