From d89222a333638b450cc9bf9b0d9516c4f6453b42 Mon Sep 17 00:00:00 2001 From: Eric Fornaciari Date: Fri, 20 Feb 2026 10:13:16 -0800 Subject: [PATCH] fix(security): resolve CodeQL workflow alerts - Add explicit permissions blocks to all workflows (missing-workflow-permissions) - Pin free-disk-space action to commit SHA (unpinned-tag) - Pin tool-versions-to-env-action to commit SHA (unpinned-tag) - Replace dynamic secret lookup with fixed E2E_TEST_SECRETS_OVERRIDE (excessive-secrets-exposure) Resolves CodeQL alerts: missing-workflow-permissions, unpinned-tag, excessive-secrets-exposure. Note: code-injection alert in .github/actions/setup-go/ not modified (workflow-only scope). --- .github/workflows/contract-release.yml | 3 +++ .github/workflows/dependency-updates.yml | 6 +++++- .github/workflows/e2e_custom_cl.yml | 6 ++++++ .github/workflows/e2e_testnet_daily.yml | 11 +++++++++-- .github/workflows/gauntlet.yml | 6 +++++- .github/workflows/integration-tests-publish.yml | 4 ++++ .github/workflows/lint-gh-workflows.yml | 4 ++++ .github/workflows/monitoring.yml | 3 +++ .github/workflows/nix-packages-test.yml | 3 +++ .github/workflows/open-pr.yml | 5 +++++ .github/workflows/relay.yml | 4 ++++ .github/workflows/rust.yml | 10 +++++++--- .github/workflows/soak.yml | 11 +++++++++-- .github/workflows/sonar-scan.yml | 6 +++++- .github/workflows/upstream-tracker.yml | 4 ++++ 15 files changed, 76 insertions(+), 10 deletions(-) diff --git a/.github/workflows/contract-release.yml b/.github/workflows/contract-release.yml index be3ca4d7b..0ac87d563 100644 --- a/.github/workflows/contract-release.yml +++ b/.github/workflows/contract-release.yml @@ -5,6 +5,9 @@ on: - "v[0-9]+.[0-9]+.[0-9]+" # Push events to matching v*, i.e. v1.0, v20.15.10 - "v[0-9]+.[0-9]+.[0-9]+-rc*" # Push events to matching v*, i.e. v1.0-rc1, v20.15.10-rc5 +permissions: + contents: write + defaults: run: working-directory: ./contracts diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml index 4f3d2a165..abbc86be2 100644 --- a/.github/workflows/dependency-updates.yml +++ b/.github/workflows/dependency-updates.yml @@ -3,7 +3,11 @@ on: workflow_dispatch: schedule: - cron: '0 0 * * *' # check every day at midnight UTC - + +permissions: + contents: read + pull-requests: write + jobs: E2E-Solana-Image: uses: ./.github/workflows/open-pr.yml diff --git a/.github/workflows/e2e_custom_cl.yml b/.github/workflows/e2e_custom_cl.yml index fe275ad5d..ebd64bed1 100644 --- a/.github/workflows/e2e_custom_cl.yml +++ b/.github/workflows/e2e_custom_cl.yml @@ -13,6 +13,12 @@ on: required: true type: string +permissions: + contents: read + id-token: write + checks: write + pull-requests: write + env: CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink CONTRACT_ARTIFACTS_PATH: contracts/target/deploy diff --git a/.github/workflows/e2e_testnet_daily.yml b/.github/workflows/e2e_testnet_daily.yml index 016f1eeea..392947488 100644 --- a/.github/workflows/e2e_testnet_daily.yml +++ b/.github/workflows/e2e_testnet_daily.yml @@ -8,7 +8,7 @@ on: default: develop type: string test_secrets_override_key: - description: 'Key to run tests with custom test secrets like ws url, rpc url, private key, etc.' + description: 'Set to "1" or any value to use custom test secrets from E2E_TEST_SECRETS_OVERRIDE (avoids exposing all secrets)' required: false type: string team: @@ -17,6 +17,13 @@ on: type: string schedule: - cron: '0 6 * * *' + +permissions: + contents: read + id-token: write + checks: write + pull-requests: write + # Only run 1 of this workflow at a time per PR env: CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink @@ -150,7 +157,7 @@ jobs: test_command_to_run: cd ./integration-tests && go test -count=1 -run TestSolanaOCRV2Smoke/embedded $(args) ./smoke 2>&1 | tee /tmp/gotest.log test_download_vendor_packages_command: cd ./integration-tests && go mod download test_config_override_base64: ${{ env.BASE64_CONFIG_OVERRIDE }} - test_secrets_override_base64: ${{ secrets[inputs.test_secrets_override_key] }} + test_secrets_override_base64: ${{ inputs.test_secrets_override_key != '' && secrets.E2E_TEST_SECRETS_OVERRIDE || '' }} download_contract_artifacts_path: ${{ env.CONTRACT_ARTIFACTS_PATH }} go_mod_path: ./integration-tests/go.mod cl_repo: ${{ env.CL_ECR }} diff --git a/.github/workflows/gauntlet.yml b/.github/workflows/gauntlet.yml index d87bd2da7..14d0835e1 100644 --- a/.github/workflows/gauntlet.yml +++ b/.github/workflows/gauntlet.yml @@ -6,6 +6,10 @@ on: branches: - develop +permissions: + contents: read + actions: read + jobs: tool_versions: name: Get the tool versions @@ -14,7 +18,7 @@ jobs: nodejs_version: ${{ steps.tool-versions.outputs.nodejs_version }} steps: - uses: actions/checkout@v4 - - uses: smartcontractkit/tool-versions-to-env-action@v1.0.8 + - uses: smartcontractkit/tool-versions-to-env-action@aabd5efbaf28005284e846c5cf3a02f2cba2f4c2 # v1.0.8 id: tool-versions gauntlet_build: diff --git a/.github/workflows/integration-tests-publish.yml b/.github/workflows/integration-tests-publish.yml index 556488800..3df6ad648 100644 --- a/.github/workflows/integration-tests-publish.yml +++ b/.github/workflows/integration-tests-publish.yml @@ -7,6 +7,10 @@ on: - develop workflow_dispatch: +permissions: + contents: read + id-token: write + env: ECR_TAG: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink-solana-tests:develop CONTRACT_ARTIFACTS_PATH: contracts/target/deploy diff --git a/.github/workflows/lint-gh-workflows.yml b/.github/workflows/lint-gh-workflows.yml index f8be3f998..b03fe7860 100644 --- a/.github/workflows/lint-gh-workflows.yml +++ b/.github/workflows/lint-gh-workflows.yml @@ -1,6 +1,10 @@ name: Lint GH Workflows on: pull_request: + +permissions: + contents: read + jobs: lint_workflows: name: Validate Github Action Workflows diff --git a/.github/workflows/monitoring.yml b/.github/workflows/monitoring.yml index 892dc76e3..5c5a91580 100644 --- a/.github/workflows/monitoring.yml +++ b/.github/workflows/monitoring.yml @@ -6,6 +6,9 @@ on: branches: - develop +permissions: + contents: read + jobs: build-container: runs-on: ubuntu-latest diff --git a/.github/workflows/nix-packages-test.yml b/.github/workflows/nix-packages-test.yml index 1e443133a..418a87129 100644 --- a/.github/workflows/nix-packages-test.yml +++ b/.github/workflows/nix-packages-test.yml @@ -4,6 +4,9 @@ on: branches: - develop +permissions: + contents: read + jobs: nix-packages-test: runs-on: ubuntu-latest diff --git a/.github/workflows/open-pr.yml b/.github/workflows/open-pr.yml index 8eff88023..4f9928837 100644 --- a/.github/workflows/open-pr.yml +++ b/.github/workflows/open-pr.yml @@ -10,6 +10,11 @@ on: required: false type: string +permissions: + contents: write + pull-requests: write + id-token: write + jobs: create-commits-and-pr: permissions: diff --git a/.github/workflows/relay.yml b/.github/workflows/relay.yml index 29f074325..0aab8bb3a 100644 --- a/.github/workflows/relay.yml +++ b/.github/workflows/relay.yml @@ -6,6 +6,10 @@ on: branches: - develop +permissions: + contents: read + actions: read + jobs: relay_run_unit_tests: name: Relay Run Unit Tests diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 1924ae425..465fdc2ae 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -5,6 +5,10 @@ on: branches: - develop +permissions: + contents: read + actions: read + defaults: run: working-directory: contracts @@ -40,7 +44,7 @@ jobs: needs: [get_projectserum_version, build_wrapped_anchor_image] steps: - name: Free Disk Space - uses: smartcontractkit/.github/actions/free-disk-space@free-disk-space/v1 + uses: smartcontractkit/.github/actions/free-disk-space@ca71236c9f9e1358597795ef7d433dd3d3df8dfb # free-disk-space/v1 - uses: actions/checkout@v4 - name: Cache cargo target dir uses: actions/cache@v4 @@ -87,7 +91,7 @@ jobs: needs: [get_projectserum_version, build_wrapped_anchor_image] steps: - name: Free Disk Space - uses: smartcontractkit/.github/actions/free-disk-space@free-disk-space/v1 + uses: smartcontractkit/.github/actions/free-disk-space@ca71236c9f9e1358597795ef7d433dd3d3df8dfb # free-disk-space/v1 - uses: actions/checkout@v4 - name: Cache cargo target dir uses: actions/cache@v4 @@ -131,7 +135,7 @@ jobs: needs: [get_projectserum_version, build_wrapped_anchor_image] steps: - name: Free Disk Space - uses: smartcontractkit/.github/actions/free-disk-space@free-disk-space/v1 + uses: smartcontractkit/.github/actions/free-disk-space@ca71236c9f9e1358597795ef7d433dd3d3df8dfb # free-disk-space/v1 - name: Checkout sources uses: actions/checkout@v4 diff --git a/.github/workflows/soak.yml b/.github/workflows/soak.yml index 9833e8b5a..6c09e6b87 100644 --- a/.github/workflows/soak.yml +++ b/.github/workflows/soak.yml @@ -6,7 +6,7 @@ on: description: Your .toml file as base64 (must NOT contain test secrets) required: true test_secrets_override_key: - description: 'Key to run tests with custom test secrets like ws url, rpc url, private key, etc.' + description: 'Set to "1" or any value to use custom test secrets from E2E_TEST_SECRETS_OVERRIDE (avoids exposing all secrets)' required: false type: string cl_image_tag: @@ -24,6 +24,13 @@ on: required: true type: string default: BIX + +permissions: + contents: read + id-token: write + checks: write + pull-requests: write + env: CL_ECR: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com/chainlink CONTRACT_ARTIFACTS_PATH: contracts/target/deploy @@ -97,7 +104,7 @@ jobs: test_command_to_run: cd ./integration-tests && go test -count=1 -run TestSolanaOCRV2Soak/embedded $(args) ./soak 2>&1 | tee /tmp/gotest.log test_download_vendor_packages_command: cd ./integration-tests && go mod download test_config_override_base64: ${{ env.BASE64_CONFIG_OVERRIDE }} - test_secrets_override_base64: ${{ secrets[inputs.test_secrets_override_key] }} + test_secrets_override_base64: ${{ inputs.test_secrets_override_key != '' && secrets.E2E_TEST_SECRETS_OVERRIDE || '' }} download_contract_artifacts_path: ${{ env.CONTRACT_ARTIFACTS_PATH }} go_mod_path: ./integration-tests/go.mod cl_repo: ${{ env.CL_ECR }} diff --git a/.github/workflows/sonar-scan.yml b/.github/workflows/sonar-scan.yml index d29115f5c..dbded716d 100644 --- a/.github/workflows/sonar-scan.yml +++ b/.github/workflows/sonar-scan.yml @@ -6,6 +6,10 @@ on: - develop pull_request: +permissions: + contents: read + actions: read + jobs: wait_for_workflows: name: Wait for workflows @@ -35,7 +39,7 @@ jobs: - name: Check out Code uses: actions/checkout@v4 - name: Parse tool-versions file - uses: smartcontractkit/tool-versions-to-env-action@v1.0.8 + uses: smartcontractkit/tool-versions-to-env-action@aabd5efbaf28005284e846c5cf3a02f2cba2f4c2 # v1.0.8 id: tool-versions outputs: go-version: ${{ steps.tool-versions.outputs.golang_version }} diff --git a/.github/workflows/upstream-tracker.yml b/.github/workflows/upstream-tracker.yml index 8d16965f0..cd9dd7f90 100644 --- a/.github/workflows/upstream-tracker.yml +++ b/.github/workflows/upstream-tracker.yml @@ -4,6 +4,10 @@ on: schedule: - cron: '0 0 * * 1' # check monday at midnight UTC +permissions: + contents: read + issues: write + jobs: Solana-Update-Checker: runs-on: ubuntu-latest