workflows: add CodeQL analysis workflow for GitHub Actions#10644
Open
tmleman wants to merge 3 commits intothesofproject:mainfrom
Open
workflows: add CodeQL analysis workflow for GitHub Actions#10644tmleman wants to merge 3 commits intothesofproject:mainfrom
tmleman wants to merge 3 commits intothesofproject:mainfrom
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a CodeQL workflow to analyze GitHub Actions workflows and applies least-privilege GITHUB_TOKEN defaults across existing CI workflows, plus pins a third-party action to an immutable SHA.
Changes:
- Add a new
codeql.ymlworkflow to run CodeQL analysis for theactionslanguage on PRs tomain. - Restrict
GITHUB_TOKENpermissions tocontents: readat the workflow level across multiple existing workflows. - Pin
msys2/setup-msys2@v2to a specific commit SHA in the Zephyr workflow.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/zephyr.yml | Add default contents: read permissions; pin msys2/setup-msys2 to a commit SHA. |
| .github/workflows/unit-tests.yml | Add default contents: read permissions. |
| .github/workflows/tools.yml | Add default contents: read permissions. |
| .github/workflows/testbench.yml | Add default contents: read permissions. |
| .github/workflows/sparse-zephyr.yml | Add default contents: read permissions. |
| .github/workflows/sof-docs.yml | Add default contents: read permissions. |
| .github/workflows/rimage.yml | Add default contents: read permissions. |
| .github/workflows/repro-build.yml | Add default contents: read permissions. |
| .github/workflows/pull-request.yml | Add default contents: read permissions. |
| .github/workflows/llext.yml | Add default contents: read permissions. |
| .github/workflows/ipc_fuzzer.yml | Add default contents: read permissions. |
| .github/workflows/daily-tests.yml | Add default contents: read permissions. |
| .github/workflows/codestyle.yml | Add default contents: read permissions. |
| .github/workflows/codeql.yml | Introduce CodeQL workflow to analyze GitHub Actions workflows on PRs to main. |
| .github/workflows/build_all.yml | Add default contents: read permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lgirdwood
reviewed
Mar 23, 2026
Member
lgirdwood
left a comment
lgirdwood
left a comment
There was a problem hiding this comment.
LGTM, and good to have. Can you address the copilot comments.
tmleman
force-pushed
the
topic/upstream/pr/github/workflows/codeql_action
branch
2 times, most recently
from
cd71af4 to
ebafac1
Compare
Add explicit top-level permissions block to all GitHub Actions workflow files, limiting the GITHUB_TOKEN to the minimum required scope: read. Why this is recommended: GitHub Actions grants the GITHUB_TOKEN broad default permissions (read/write on most scopes) unless explicitly restricted. The GitHub security hardening guide and CodeQL (actions/missing-workflow-permissions rule) recommend always declaring an explicit permissions block to enforce the principle of least privilege. Threats prevented: - Compromised or malicious third-party actions (supply chain attacks) cannot use the implicit GITHUB_TOKEN to write to the repository, create releases, modify issues/PRs, upload packages, or affect deployments - even if such an action is injected into the workflow. - If a vulnerability in a workflow step allows code execution (e.g. via script injection through PR title/body), the attacker's ability to abuse the token is limited to read-only repository access. - Reduces blast radius of any accidental or intentional misuse of the token across all CI jobs. Affected workflows: build_all, codestyle, daily-tests, ipc_fuzzer, llext, pull-request, repro-build, rimage, sof-docs, sparse-zephyr, testbench, tools, unit-tests, zephyr. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
Replace the mutable tag reference 'msys2/setup-msys2@v2' with a pinned commit SHA in zephyr.yml. Why this is recommended: Tags in GitHub Actions are mutable - a repository owner can silently move a tag (e.g. 'v2') to point to a different, potentially malicious commit at any time without the consuming workflow receiving any notification. Pinning to a full commit SHA ensures the exact code that was reviewed is what runs in CI, making the reference immutable. Threats prevented: - Supply chain attacks: a compromised or malicious actor with write access to the msys2/setup-msys2 repository cannot push new code under the existing 'v2' tag and have it automatically executed in our CI without an explicit code review and hash update on our side. - Dependency confusion: prevents accidental or forced resolution to an unintended version of the action. The comment '# v2' is retained to make it clear which upstream release the hash corresponds to, aiding future maintenance when a deliberate update is needed. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
Introduce a new CodeQL scanning workflow (.github/workflows/codeql.yml)
that statically analyzes all GitHub Actions workflow files in the
repository on every pull request targeting main.
What it does:
- Runs CodeQL with the 'actions' language target, which scans .yml
workflow files for security misconfigurations such as missing
permissions, unpinned action tags, script injection, and other GitHub
Actions-specific vulnerabilities.
- Uploads SARIF results to the GitHub Security tab, making findings
visible directly in pull requests and the repository's security
overview.
- Uses concurrency groups to cancel superseded runs on the same branch,
avoiding wasted CI time.
Security posture of the workflow itself:
- Top-level permissions default to contents: read.
- The analyze job explicitly declares the minimum required scopes:
actions: read (to inspect workflow metadata) and contents: read (to
checkout the repository).
- All third-party actions are pinned to immutable commit SHAs to prevent
supply chain attacks:
* actions/checkout @ de0fac2e4500dabe0009e67214ff5f5447ce83dd #
v6.0.2
* codeql-action/init @ 0d579ffd059c29b07949a3cce3983f0780820c98 #
v4
* codeql-action/analyze @ 0d579ffd059c29b07949a3cce3983f0780820c98 #
v4
- persist-credentials: false is set on checkout to avoid leaking the
GITHUB_TOKEN to subsequent steps.
Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
lgirdwood
approved these changes
Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a CodeQL workflow to scan GitHub Actions workflow files on every PR to main and pre-emptively fix all 31 warnings it would generate:
contents: readacross all workflows and pinmsys2/setup-msys2@v2to an immutable commit SHA.