Harden the CI workflow's supply chain
A GitHub Actions workflow pulls third-party actions by mutable tag and runs with a write-scoped token. Pin every action to a commit SHA and drop the token to least privilege.
Scenario
A CI workflow uses third-party actions by mutable tag (@v4), so a compromised or retagged
release would run in your pipeline. It also runs with the default write-scoped GITHUB_TOKEN,
far more than a build/test job needs.
Your job
In .github/workflows/ci.yml:
- Pin every
uses:to a full 40-character commit SHA (keep the version in a trailing comment). - Set a least-privilege token: a top-level
permissions:block that is read-only (e.g.contents: read).
What "done" looks like
No action references a tag (each uses: ends in a 40-hex SHA), and permissions: grants only read.
Graded on the workflow's shape, not a live run.
Teaches: CI supply-chain hygiene: pinning actions to immutable SHAs and minimizing the token's scope so a compromised action can't push to the repo.
What gets checked
Your solution is verified against each of these:
- Every action is pinned to a full commit SHA, not a mutable tag
- The workflow sets a read-only GITHUB_TOKEN (permissions)
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.