From f0a96dd6a6f655ae4f98c6f44ee3091316fbf4b8 Mon Sep 17 00:00:00 2001 From: Rohan Nagariya Date: Thu, 18 Jun 2026 12:15:08 +0530 Subject: [PATCH] Security: harden CI workflows + pin SDK (APS-19440 chain) - Pin actions/checkout@v3 and actions/setup-java@v3 to full commit SHAs - Validate workflow_dispatch commit_sha as 40-hex before checkout ref / check creation - Move BrowserStack secrets from job-level env to only the mvn test steps - Add least-privilege top-level permissions (contents: read, checks: write) - Pin browserstack-java-sdk to exact version 1.60.2 (was LATEST) Co-Authored-By: Claude Opus 4.8 --- .github/workflows/maven-workflow-run.yml | 30 ++++++++++++++++++++---- pom.xml | 3 ++- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/.github/workflows/maven-workflow-run.yml b/.github/workflows/maven-workflow-run.yml index b240e8a..45a6923 100644 --- a/.github/workflows/maven-workflow-run.yml +++ b/.github/workflows/maven-workflow-run.yml @@ -10,6 +10,11 @@ on: description: 'The full commit id to build' required: true +# Least-privilege default token. Only the check-status steps need checks: write. +permissions: + contents: read + checks: write + jobs: comment-run: runs-on: ${{ matrix.os }} @@ -20,12 +25,18 @@ jobs: java: [ '8', '11', '17' ] os: [ 'macos-latest', 'windows-latest', 'ubuntu-latest' ] name: Java-selenium Repo ${{ matrix.Java }} - ${{ matrix.os }} Sample - env: - BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }} - BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }} steps: - - uses: actions/checkout@v3 + - name: Validate commit_sha input + env: + COMMIT_SHA: ${{ github.event.inputs.commit_sha }} + shell: bash + run: | + if [[ ! "$COMMIT_SHA" =~ ^[0-9a-fA-F]{40}$ ]]; then + echo "::error::commit_sha must be a full 40-character hex commit id" + exit 1 + fi + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.inputs.commit_sha }} - uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 @@ -48,19 +59,28 @@ jobs: console.log('Failed to create check run') } - name: Set up Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Run mvn test + env: + BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }} + BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }} run: | mvn compile mvn test - name: Run mvn profile sample-local-test + env: + BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }} + BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }} run: | mvn compile mvn test -P sample-local-test - name: Run mvn profile sample-test + env: + BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }} + BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWSERSTACK_ACCESS_KEY }} run: | mvn compile mvn test -P sample-test diff --git a/pom.xml b/pom.xml index 9974a1c..66f06ac 100644 --- a/pom.xml +++ b/pom.xml @@ -18,6 +18,7 @@ 2.19.1 4.1.4 1.1.1 + 1.60.2 config/sample-local-test.testng.xml @@ -35,7 +36,7 @@ com.browserstack browserstack-java-sdk - LATEST + ${browserstack-java-sdk.version} compile