This document outlines the security measures implemented to protect this repository from malicious external contributions and unauthorized infrastructure access.
External contributors CANNOT run malicious code on our infrastructure through pull requests.
- SHA Pinning: Required - all actions must use pinned versions
- Selected Actions Only: Only trusted actions from specific organizations are allowed
- External Actions: Blocked - prevents supply chain attacks
- Branch Protection: Main branch requires status checks and restricts push access
- Deployment Workflows Disabled: All deployment workflows have
if: falseconditions - Limited Workflow Execution: Only test and validation workflows can run on PRs
- AWS Credentials: Only available to trusted workflows for testing purposes
- API Keys: Restricted to necessary workflows only
- Environment Variables: Properly scoped and limited to test environments
- No Deployment Access: External PRs cannot trigger deployments
- Test-Only Secrets: Production secrets are not accessible to PR workflows
- Resource Limits: CI resources are limited by concurrency settings
- All workflows run normally
- Full access to secrets and actions
- Can trigger deployments (when enabled)
- CAN run: Test workflows (lint, typecheck, unit tests, e2e tests)
- CANNOT run: Deployment workflows (disabled with
if: false) - CANNOT access: Production secrets or infrastructure
- RESTRICTED to: Pinned versions of trusted actions only
The repository-level security settings provide protection:
{
"enabled": true,
"allowed_actions": "selected",
"sha_pinning_required": true,
"selected_actions": {
"github_owned_allowed": true,
"verified_allowed": true,
"patterns_allowed": [
"decipad/*",
"actions-rust-lang/*",
"nrwl/*",
"jetli/*",
"aws-actions/*",
"buildjet/*",
"treosh/*",
"swatinem/*"
]
}
}This ensures that:
- Only trusted actions from specific organizations can run
- All actions must use pinned versions (prevents version-based attacks)
- External actions are completely blocked
- Supply chain attacks are prevented
- Deployment workflows are disabled for external contributors
- Run Tests (
test.yml) - Unit tests with limited AWS access for testing - Run E2E Tests (
test-e2e.yaml) - End-to-end tests with dev environment access - Lint & Typecheck (
lint-and-typecheck.yml) - Code quality checks
- Deploy PR (
deploy-pr.yaml) - Disabled withif: false - Deploy Dev (
deploy-dev.yml) - Disabled withif: false - Deploy Prod (
deploy-prod.yml) - Disabled withif: false
- All workflow runs are logged and monitored
- Failed security checks are visible in workflow logs
- External PRs will show "skipped" status for security-protected jobs
- Discord notifications for workflow failures on main branch
- Never disable these security checks unless absolutely necessary
- Review all workflow changes before merging
- Monitor workflow runs for suspicious activity
- Keep secrets minimal - only include what's necessary for testing
- Regular security audits - review permissions and access
- Consider OIDC for AWS credentials instead of long-lived access keys
- Environment-specific secrets - separate test vs production secrets
If you discover a security vulnerability in our GitHub Actions setup:
- DO NOT create a public issue
- Email security concerns to: security@decipad.com
- We will respond within 48 hours
External contributors cannot:
- Deploy code to production or staging environments
- Access production secrets or infrastructure
- Run arbitrary code on your infrastructure
- Bypass security controls through workflow modifications
Potential risks (mitigated):
- Resource consumption through test workflows (limited by concurrency)
- Secret exposure in test environments (only dev/test secrets, not production)
- Supply chain attacks (prevented by action restrictions)
This security configuration is regularly reviewed and updated to protect against new attack vectors and maintain the highest security standards. Last updated: January 2025