chore(security): add harden-runner to critical release and AI agent workflows#8017
Open
jordanconway wants to merge 1 commit into
Open
chore(security): add harden-runner to critical release and AI agent workflows#8017jordanconway wants to merge 1 commit into
jordanconway wants to merge 1 commit into
Conversation
…orkflows Add step-security/harden-runner (audit mode) as the first step in the three highest-risk workflows: - release-pypi.yml: pushes packages to PyPI — highest-value target for supply-chain compromise; any secret exfiltration here affects millions of PyTorch users downstream. - release-docker.yml: pulls from GHCR and pushes to Docker Hub under the pytorch/ namespace — same risk tier as PyPI publishing. - _claude-code.yml: AI agent workflow with id-token:write, contents:read, pull-requests:write, issues:write, and AWS OIDC access to Bedrock. Open egress from an AI agent with write permissions is an especially sensitive surface; audit mode will immediately show if the Claude action or its deps try to reach unexpected endpoints. All three are started in egress-policy: audit (not block) per best practice — switch to block after reviewing the audit logs and confirming the allowlist is complete. disable-sudo: true is set on all three. Note: release-stage-pypi.yml and tflint.yml use container: jobs; harden- runner does not support container jobs and must be added separately once those jobs migrate off containers or via a host-level approach. See https://github.com/jordanconway/package-manager-hardening for the full hardening methodology. Signed-off-by: Jordan Conway <jconway@linuxfoundation.org>
|
@jordanconway is attempting to deploy a commit to the Meta Open Source Team on Vercel. A member of the Team first needs to authorize it. |
meta-cla
Bot
added
the
CLA Signed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
step-security/harden-runner(in audit mode) as the first step in the three highest-risk workflows in this repo. No existing behaviour is changed — audit mode only observes and logs; it does not block anything.Workflows covered
release-pypi.ymlPublishes Python packages to PyPI for torchvision, torchaudio, torchao, executorch, torchcodec, and torchTune. This is the highest-value target for a supply-chain compromise — any secret exfiltration here affects millions of downstream PyTorch users. Allowed-endpoints baseline: GitHub, AWS STS/S3 (for staging bucket), PyPI upload.
release-docker.ymlPulls CUDA Docker images from GHCR and re-tags/pushes them to Docker Hub under the
pytorch/namespace. Same risk tier as PyPI publishing. Allowed-endpoints baseline: GHCR, Docker Hub auth + registry._claude-code.ymlThe centralised reusable Claude AI agent workflow used across pytorch and meta-pytorch orgs. It carries:
id-token: write(OIDC → AWS Bedrock)pull-requests: write+issues: writecontents: readAn AI agent workflow with open egress and write permissions is an especially sensitive surface. Audit mode will immediately show whether the
anthropics/claude-code-actionor any of its dependencies attempt to reach unexpected endpoints. Allowed-endpoints baseline: GitHub API, AWS STS, Bedrock runtime.What's not covered here (and why)
release-stage-pypi.ymlcontainer: pytorch/almalinux-builder:cpu— harden-runner does not support container jobstflint.ymlcontainer: node:20— same limitationNext steps after merge
allowed-endpointslists based on observed trafficegress-policyfromaudit→blockonce the allowlist is confirmedThis change is part of a broader supply-chain hardening effort following a repository audit. See https://github.com/jordanconway/package-manager-hardening for the full methodology.