From f6fccb4b6c7385dc606bb6eb0ae2cbb385846ebc Mon Sep 17 00:00:00 2001 From: vibhutikumar <160819926+vibhutikumar07@users.noreply.github.com> Date: Wed, 6 May 2026 20:16:26 +0530 Subject: [PATCH 1/3] Added fork detection (if: github.repository == 'cap-java/sdm') to prevent forks from running --- .github/workflows/cfdeploy.yml | 10 ++++++++-- .github/workflows/internalArticatory.yml | 2 ++ .github/workflows/main-build-and-deploy-oss.yml | 15 +++++++++++++++ .github/workflows/main-build.yml | 2 ++ .github/workflows/multiTenancyDeployLocal.yml | 3 +++ .../multiTenant_deploy_and_Integration_test.yml | 5 ++++- ..._deploy_and_Integration_test_LatestVersion.yml | 7 +++++-- .../singleTenant_deploy_and_Integration_test.yml | 5 ++++- ..._deploy_and_Integration_test_LatestVersion.yml | 6 ++++-- .../workflows/singleTenant_integration_test.yml | 5 +++++ 10 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cfdeploy.yml b/.github/workflows/cfdeploy.yml index d15aedadc..db2f3f909 100644 --- a/.github/workflows/cfdeploy.yml +++ b/.github/workflows/cfdeploy.yml @@ -33,7 +33,10 @@ permissions: jobs: Deploy: runs-on: ubuntu-latest - if: ${{ github.event.inputs.workflow_choice == 'Deploy' }} + # Security: Only run Deploy in original repo, not forks + if: | + github.repository == 'cap-java/sdm' && + github.event.inputs.workflow_choice == 'Deploy' steps: - name: Checkout repository 📁 @@ -129,7 +132,10 @@ jobs: SnapshotDeploy: runs-on: ubuntu-latest - if: ${{ github.event.inputs.workflow_choice == 'Snapshot Deploy' }} + # Security: Only run Snapshot Deploy in original repo, not forks + if: | + github.repository == 'cap-java/sdm' && + github.event.inputs.workflow_choice == 'Snapshot Deploy' steps: - name: Checkout repository 📁 diff --git a/.github/workflows/internalArticatory.yml b/.github/workflows/internalArticatory.yml index 5d3bf0150..f6a500386 100644 --- a/.github/workflows/internalArticatory.yml +++ b/.github/workflows/internalArticatory.yml @@ -14,6 +14,8 @@ on: jobs: build-and-deploy-artifactory: runs-on: ubuntu-latest + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' permissions: contents: read steps: diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 30661c4f3..fcc9f7057 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -8,10 +8,16 @@ on: release: types: [ "released" ] +permissions: + contents: write + packages: write + jobs: update-version: runs-on: ubuntu-latest + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' #needs: blackduck steps: @@ -87,6 +93,15 @@ jobs: name: Deploy to Maven Central runs-on: ubuntu-latest needs: build + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' + # Require manual approval before deploying to Maven Central + environment: + name: maven-central-production + url: https://central.sonatype.com/ + permissions: + contents: read + packages: write steps: - name: Download artifact uses: actions/download-artifact@v7 diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index c031f2f41..3e0111907 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -32,6 +32,8 @@ jobs: name: Update version runs-on: ubuntu-latest needs: [ build ] + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' permissions: contents: write packages: write diff --git a/.github/workflows/multiTenancyDeployLocal.yml b/.github/workflows/multiTenancyDeployLocal.yml index 2cb1e8eac..3c2d27444 100644 --- a/.github/workflows/multiTenancyDeployLocal.yml +++ b/.github/workflows/multiTenancyDeployLocal.yml @@ -18,11 +18,14 @@ on: default: '' permissions: + contents: read pull-requests: read packages: read # Added permission to read packages jobs: deploy: + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/multiTenant_deploy_and_Integration_test.yml b/.github/workflows/multiTenant_deploy_and_Integration_test.yml index d658af729..e4b031ffa 100644 --- a/.github/workflows/multiTenant_deploy_and_Integration_test.yml +++ b/.github/workflows/multiTenant_deploy_and_Integration_test.yml @@ -15,7 +15,10 @@ permissions: jobs: deploy: - if: github.event.pull_request.merged == true + # Security: Only run if PR merged AND not from a fork + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: diff --git a/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml b/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml index e00f7fe3c..f3908c3c4 100644 --- a/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml +++ b/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml @@ -10,13 +10,16 @@ on: workflow_dispatch: permissions: + contents: read pull-requests: read packages: read # Added permission to read packages jobs: deploy: - #Run only if the triggering workflow concluded successfully - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + # Security: Run only if workflow succeeded AND not from a fork + if: | + github.repository == 'cap-java/sdm' && + (github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_deploy_and_Integration_test.yml b/.github/workflows/singleTenant_deploy_and_Integration_test.yml index 341798b99..722a2ba4c 100644 --- a/.github/workflows/singleTenant_deploy_and_Integration_test.yml +++ b/.github/workflows/singleTenant_deploy_and_Integration_test.yml @@ -14,7 +14,10 @@ permissions: jobs: deploy: - if: github.event.pull_request.merged == true + # Security: Only run if PR merged AND not from a fork + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml b/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml index 1c606ef18..838089ed3 100644 --- a/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml +++ b/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml @@ -16,8 +16,10 @@ permissions: jobs: deploy: - # Run only if the triggering workflow concluded successfully - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + # Security: Run only if workflow succeeded AND not from a fork + if: | + github.repository == 'cap-java/sdm' && + (github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_integration_test.yml b/.github/workflows/singleTenant_integration_test.yml index 789747145..55f034257 100644 --- a/.github/workflows/singleTenant_integration_test.yml +++ b/.github/workflows/singleTenant_integration_test.yml @@ -11,8 +11,13 @@ on: description: 'Specify the branch to use for integration tests' required: true +permissions: + contents: read + jobs: integration-test: + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' runs-on: ubuntu-latest strategy: fail-fast: false From 8b6b9ca5e58f4c6976419d4b6ef563a3a304236a Mon Sep 17 00:00:00 2001 From: vibhutikumar <160819926+vibhutikumar07@users.noreply.github.com> Date: Wed, 6 May 2026 20:45:15 +0530 Subject: [PATCH 2/3] Added codeowner review for .github folder --- .github/CODEOWNERS | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..83951e60d --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,14 @@ +# Code Owners - Security Protection +# Any changes to .github folder require approval from these users +# This enforces that workflow/action changes must be reviewed + +# GitHub workflows and actions - Require security team approval +/.github/workflows/ @vibhutikumar07 @yashmeet29 +/.github/actions/ @vibhutikumar07 @yashmeet29 + + + +# All other .github files +/.github/ @vibhutikumar07 @yashmeet29 + From 09b5b3e68e649d50e87afc48c248de18f9108b33 Mon Sep 17 00:00:00 2001 From: vibhutikumar <160819926+vibhutikumar07@users.noreply.github.com> Date: Wed, 6 May 2026 20:54:08 +0530 Subject: [PATCH 3/3] Update CODEOWNERS --- .github/CODEOWNERS | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 83951e60d..bd62cc701 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,9 +6,6 @@ /.github/workflows/ @vibhutikumar07 @yashmeet29 /.github/actions/ @vibhutikumar07 @yashmeet29 - - # All other .github files /.github/ @vibhutikumar07 @yashmeet29