Harden GitHub Actions Workflow - release.yml

[stepsecurity-app]

Summary

This issue is created by StepSecurity related to security issues in release.yml . The platform has identified 2 vulnerabilities (1 critical, 0 high, 0 medium, 1 low).

Remediation Overview

The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-app pull-request create on this issue.

If you’d like an automated pull request with the fixed workflow file, comment:

@stepsecurity-app pull-request create

Other issues require manual investigation and changes.

Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.

Please review the individual vulnerability section below and follow the recommended resolution steps.

Security Checks Details

❌ Actions should be pinned to a full-length commit SHA

• Severity: Critical

• Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• Resolution: Pin Actions to a full-length commit SHA..

• Automated Remediation Available ?: true

• References:

  • GitHub Security Guide

  • The Open Source Security Foundation (OpenSSF) Security Guide

❌ Network and runtime security monitoring should be enabled for GitHub-hosted runners

• Severity: Low

• Description: This check passes if the step-security/harden-runner GitHub Action is used in a job that runs on a GitHub-hosted runner. Harden-Runner prevents exfiltration of code and CI/CD credentials, and detects tampering of files during build.

• Resolution: Add the step-security/harden-runner GitHub Action to the job.

• Automated Remediation Available ?: true

• References:

  • GitHub Security Guide

  • The Open Source Security Foundation (OpenSSF) Security Guide

Suggested Fix For Auto-Remediable Issues

Below is the updated workflow, which fixes the following security vulnerabilities:

• Actions should be pinned to a full-length commit SHA

• Network and runtime security monitoring should be enabled for GitHub-hosted runners

  name: 发布新版本
  on:
    push:
      branches:
        - master
    pull_request:
      branches: [ "master" ]
      types: [closed]
  permissions:
    contents: read
    id-token: write
  jobs:
    release-build:
      runs-on: ubuntu-latest
      if: github.event.pull_request.merged == true || github.event_name == 'push'
      steps:
      - 
+ name: Harden the runner (Audit all outbound calls)
+       uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+       with:
+         egress-policy: audit
+     - 
  uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 # 
  v4
+ .3.0
      - name: 设置Python环境
        uses: actions/setup-python@
+ a26af69be951a213d495a4c3e4e4022e16d87065 # 
  v5
+ .6.0
        with:
          python-version: '3.x'
      - name: 构建发布分发包
        run: |
          python -m pip install build
          python -m build
      - name: 提取版本号
        id: extract_version
        run: |
          filename=$(ls dist/mzapi_python-*.whl)
          version=$(echo $filename | sed -e 's/.*-\([0-9]\+\.[0-9]\+\.[0-9]\+\).*\.whl/\1/')
          echo "version=$version" >> $GITHUB_ENV
      - name: 创建GitHub Release
        uses: softprops/action-gh-release@
+ 6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # 
  v2
+ .4.1
        with:
            tag_name: v${{ env.version }}
            name: Release v${{ env.version }}
            body: |
              🎉 发布新版本${{ env.version }} 🎉
              这是我们新版本${{ env.version }}的发布说明。本次发布包含了以下更改：
              ${{ github.event.head_commit.message }}！
            files: |
              dist/*.whl
              dist/*.tar.gz
            token: ${{ secrets.TOKEN }}

Additional Information

For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.

Automated remediation commands and options

• Create a pull request with automated security fixes

@stepsecurity-app pull-request create

• Close this issue and prevent it from being reopened

@stepsecurity-app issue close <REASON>

• Update issue description with latest security check status

@stepsecurity-app issue force-update

• View all available commands and their usage

@stepsecurity-app help

Which GitHub Actions security best practices were evaluated?

The workflow was evaluated for the following GitHub Actions security best practices:

• Network & runtime security monitoring
• Token permissions
• Third‐party GitHub Actions usage & pinning

[github-actions]

这份GitHub Issue讨论了如何加强名为release.yml的GitHub Actions工作流文件的安全性。StepSecurity平台报告发现了该文件中的两个安全漏洞，包括一个关键漏洞（GitHub Action未固定到全长度的提交SHA）和一个低级别漏洞（缺少网络和运行时监控）。平台提供了自动补救措施的代码示例，可通过使用@stepsecurity-app pull-request create命令创建修复这些问题的拉取请求，同时也列出了需要手动修改的部分。具体建议包括固定Actions到全长度SHA以及添加step-security/harden-runnerAction以启用监控。建议用户按步骤实施修复，以提高工作流的安全性并遵循最佳实践。