chore: enforce security hardening for GitHub Actions workflows (#10038)

* chore: set explicit workflow permissions defaults

* chore: disable persisted checkout credentials

* chore: centralize secure authenticated git push

* chore: pin workflow actions to immutable SHAs

* chore: group dependabot updates

Author: paulbalandan

.github/dependabot.yml

@@ -6,13 +6,21 @@ updates:
     schedule:
       interval: 'daily'
     open-pull-requests-limit: 10
+    groups:
+      composer-dependencies:
+        patterns:
+          - '*'
 
   - package-ecosystem: 'github-actions'
-    directory: '/'
+    directories:
+      - '/'
+      - '/admin/framework'
+      - '/admin/starter'
+      - '/admin/userguide'
     schedule:
       interval: 'daily'
-    ignore:
-      - dependency-name: '*'
-        update-types:
-          - 'version-update:semver-minor'
-          - 'version-update:semver-patch'
+    groups:
+      github-actions:
+        patterns:
+          - '*'
+        group-by: dependency-name

.github/scripts/deploy-appstarter

@@ -32,4 +32,4 @@ cp -Rf ${SOURCE}/admin/starter/. ./
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/appstarter.git HEAD:master

.github/scripts/deploy-framework

@@ -34,4 +34,4 @@ cp -Rf ${SOURCE}/admin/starter/tests/. ./tests/
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/framework.git HEAD:master

.github/scripts/deploy-userguide

@@ -58,4 +58,4 @@ touch ${TARGET}/docs/.nojekyll
 # Commit the changes
 git add .
 git commit -m "Release ${RELEASE}"
-git push
+bash ${SOURCE}/.github/scripts/secure-git-push https://github.com/codeigniter4/userguide.git HEAD:master

.github/scripts/secure-git-push

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ $# -ne 2 ]]; then
+    echo "Usage: secure-git-push <remote-url> <refspec>" >&2
+    exit 1
+fi
+
+if [[ -z "${PUSH_TOKEN:-}" ]]; then
+    echo "PUSH_TOKEN is required" >&2
+    exit 1
+fi
+
+REMOTE_URL="$1"
+REFSPEC="$2"
+AUTH_HEADER="$(printf 'x-access-token:%s' "${PUSH_TOKEN}" | base64 | tr -d '\n')"
+
+echo "::add-mask::${AUTH_HEADER}"
+git -c http.https://github.com/.extraheader="AUTHORIZATION: basic ${AUTH_HEADER}" push "${REMOTE_URL}" "${REFSPEC}"
+
+unset AUTH_HEADER PUSH_TOKEN

.github/workflows/deploy-apidocs.yml

@@ -29,19 +29,21 @@ jobs:
           git config --global user.name "${GITHUB_ACTOR}"
 
       - name: Checkout source
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: source
+          persist-credentials: false
 
       - name: Checkout target
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: codeigniter4/api
           token: ${{ secrets.ACCESS_TOKEN }}
           path: api
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
         with:
           php-version: '8.2'
           tools: phive
@@ -66,9 +68,11 @@ jobs:
 
       - name: Deploy to API repo
         working-directory: api
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: |
           git add .
           if ! git diff-index --quiet HEAD; then
             git commit -m "Updated API for commit ${GITHUB_SHA}"
-            git push origin master
+            bash ${GITHUB_WORKSPACE}/.github/scripts/secure-git-push https://github.com/codeigniter4/api.git HEAD:master
           fi

.github/workflows/deploy-distributables.yml

@@ -16,9 +16,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # fetch all tags
+          persist-credentials: false
 
       - name: Get latest version
         id: version
@@ -49,25 +50,29 @@ jobs:
           git config --global user.name "${GITHUB_ACTOR}"
 
       - name: Checkout source
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: source
+          persist-credentials: false
 
       - name: Checkout target
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: codeigniter4/framework
           token: ${{ secrets.ACCESS_TOKEN }}
           path: framework
+          persist-credentials: false
 
       - name: Chmod
         run: chmod +x ./source/.github/scripts/deploy-framework
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-framework ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/framework ${GITHUB_REF##*/}
 
       - name: Release
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{secrets.ACCESS_TOKEN}}
           script: |
@@ -99,25 +104,29 @@ jobs:
           git config --global user.name "${GITHUB_ACTOR}"
 
       - name: Checkout source
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: source
+          persist-credentials: false
 
       - name: Checkout target
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: codeigniter4/appstarter
           token: ${{ secrets.ACCESS_TOKEN }}
           path: appstarter
+          persist-credentials: false
 
       - name: Chmod
         run: chmod +x ./source/.github/scripts/deploy-appstarter
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-appstarter ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/appstarter ${GITHUB_REF##*/}
 
       - name: Release
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{secrets.ACCESS_TOKEN}}
           script: |
@@ -149,19 +158,21 @@ jobs:
           git config --global user.name "${GITHUB_ACTOR}"
 
       - name: Checkout source
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: source
+          persist-credentials: false
 
       - name: Checkout target
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: codeigniter4/userguide
           token: ${{ secrets.ACCESS_TOKEN }}
           path: userguide
+          persist-credentials: false
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -174,10 +185,12 @@ jobs:
         run: chmod +x ./source/.github/scripts/deploy-userguide
 
       - name: Deploy
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
         run: ./source/.github/scripts/deploy-userguide ${GITHUB_WORKSPACE}/source ${GITHUB_WORKSPACE}/userguide ${GITHUB_REF##*/}
 
       - name: Release
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{secrets.ACCESS_TOKEN}}
           script: |

.github/workflows/deploy-userguide-latest.yml

@@ -19,22 +19,24 @@ jobs:
   build:
     name: Deploy to gh-pages
     permissions:
-      # Allow ad-m/github-push-action to push commit to branch gh-pages
+      # Allow push to branch gh-pages
       contents: write
     if: (github.repository == 'codeigniter4/CodeIgniter4')
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
         with:
           php-version: '8.2'
           coverage: none
 
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -57,7 +59,7 @@ jobs:
 
       # Create an artifact of the html output
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: HTML Documentation
           path: user_guide_src/build/html/
@@ -75,8 +77,7 @@ jobs:
           git commit -m "Update User Guide" -a || true
 
       - name: Push changes
-        uses: ad-m/github-push-action@v1.0.0
-        with:
-          branch: gh-pages
-          directory: gh-pages
-          github_token: ${{ secrets.ACCESS_TOKEN }}
+        working-directory: gh-pages
+        env:
+          PUSH_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+        run: bash ${GITHUB_WORKSPACE}/.github/scripts/secure-git-push https://github.com/codeigniter4/CodeIgniter4.git HEAD:gh-pages

.github/workflows/label-add-conflict-all-pr.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get PR List
         id: PR-list

.github/workflows/label-signing.yml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@v1
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1.2.0
         with:
           comment: |
             You must GPG-sign your work, certifying that you either wrote the work or otherwise have the right to pass it on to an open-source project. See Developer's Certificate of Origin. See [signing][1].