feat: add more security

Author: romelgomez

.github/workflows/build.yml

@@ -10,16 +10,23 @@ on:
     branches:
       - main
 
-permissions: read-all
+permissions:
+  contents: read # Set minimal permissions
 
 jobs:
   build:
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
+      # Checkout code with SHA-pinned action and avoid persisting credentials
+      - name: Checkout code
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+        with:
+          persist-credentials: false # Prevents PRs from gaining access to the repository token
+          ref: ${{ github.ref }} # Ensure the checkout uses the exact branch/commit that triggered the workflow
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@d60b41a563a30eac31c3ec623e6ff0b3f16e1a06
         with:
           go-version: 1.23.0
 
@@ -30,7 +37,11 @@ jobs:
         run: go run github.com/steebchen/prisma-client-go generate
 
       - name: Build
-        run: go build -v ./...
+        run: |
+          echo "Building the application..."
+          go build -v ./...
 
       - name: Test
-        run: go test -v ./...
+        run: |
+          echo "Running tests..."
+          go test -v ./...

.github/workflows/migrate.yml

@@ -1,23 +1,30 @@
 name: Prisma Migrations
 
 on:
-  workflow_dispatch: # Allows manually triggering migrations from the GitHub Actions UI
+  workflow_dispatch: # Allows manual triggering of migrations from the GitHub Actions UI
   push:
     branches:
       - main
     paths:
-      - "prisma/**" # Only trigger on changes to Prisma files or schema
+      - "prisma/**"  # Only trigger on changes to Prisma files or schema
 
-permissions: read-all
+permissions:
+  contents: read  # Limit permissions to read-only by default
 
 jobs:
   migrate:
     runs-on: ubuntu-latest
+    environment: production  # Ensure this matches your GitHub environment setup with protection rules
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # protects against any unintentional or malicious modifications
+        with:
+          persist-credentials: false # Prevent PRs from gaining access to the repository token
+          ref: ${{ github.ref }} # Ensure checkout uses the exact branch or commit that triggered the workflow
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@d60b41a563a30eac31c3ec623e6ff0b3f16e1a06
         with:
           go-version: 1.23.0
 
@@ -30,4 +37,14 @@ jobs:
       - name: Run Prisma Migrations
         env:
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
-        run: go run github.com/steebchen/prisma-client-go migrate deploy
+        run: |
+          # Store the DATABASE_URL in a local variable to avoid exposing it directly
+          DB_URL="$DATABASE_URL"
+          
+          # Prevent potential injections by avoiding direct use of the environment variable
+          if [ -z "$DB_URL" ]; then
+            echo "DATABASE_URL is not set"
+            exit 1
+          fi
+          echo "Starting Prisma migrations..."
+          go run github.com/steebchen/prisma-client-go migrate deploy

CODEOWNERS

@@ -0,0 +1 @@
+.github/workflows/* @romelgomez