Docs Supply-chain hardening
Supply-chain hardening
Baseline GitHub-repo security hygiene every project ships — least-privilege workflows, pinned actions, branch protection, a SECURITY.md, and signed releases.
Every project ships the same baseline of repository security hygiene. These are generic,
project-agnostic measures — most of them repo configuration rather than application code —
that together close the common supply-chain gaps and raise a repository’s
OpenSSF Scorecard. The canonical machine copy of this
standard is in the repository at hub/standards/supply-chain-hardening.md.
The measures
- Least-privilege workflows. Every GitHub Actions workflow declares
permissions: contents: readat the top level and elevates only in the individual job that genuinely needs write access. - Pinned actions. Third-party actions are pinned to a full commit SHA, not a moving tag, so a compromised upstream tag cannot silently change what runs.
SECURITY.md. A real, accurate disclosure policy — how to report a vulnerability, what is in scope, what response to expect.- Branch protection. The stable branch is protected; releases land through a pull request rather than a direct push. This is what makes the PR-based release path in the git workflow the canonical one.
- Dependabot. Enabled and pointed at the working branch, so update pull requests follow the branch model instead of piling onto the default branch.
- Signed releases. Release assets are signed (keyless Sigstore bundles), so a downloaded binary can be verified back to the workflow that built it.
Why it is a shared standard
Every one of these was learned once, on one project, and would otherwise have to be rediscovered on the next. Lifting them into the hub means a new repository inherits the whole posture on day one, and an audit can check every node against the same list.