Skip to content

Add security automation to CI: workflow hardening, Dependabot, dependency review, CodeQL, wrapper validation #215

Open
Open
Add security automation to CI: workflow hardening, Dependabot, dependency review, CodeQL, wrapper validation#215

Description

@dipenpradhan
dipenpradhan
opened on Jun 7, 2026

Summary

The repo has CI for building/releasing but no security automation. As a popular public showcase repo (6k+ stars, frequently forked and copied), supply-chain and workflow hardening matter beyond the app itself. Below is a concrete, prioritized proposal of GitHub-native security automation that fits this project — all free for public repos.

1. Workflow hardening (highest value, zero new infra)

Findings in the current workflows:

  • master-apk-create.yml uses marvinpinto/action-automatic-releases@latest — a third-party action that is archived/unmaintained, referenced by a mutable tag, and receives GITHUB_TOKEN. Any compromise of that tag executes arbitrary code with the token. Replace with softprops/action-gh-release (or gh release CLI) and pin to a commit SHA.
  • No permissions: blocks on android.yml, build.yml, master-apk-create.yml — they inherit the default (potentially write-all) token. Builds need only permissions: contents: read (the release job additionally contents: write).
  • Recommend pinning all third-party actions to full commit SHAs (actions/* to tags is generally acceptable; SHAs are stricter).

2. Dependabot (.github/dependabot.yml)

With #189 (version catalog) merged, Dependabot understands gradle/libs.versions.toml natively:

version: 2
updates:
  - package-ecosystem: gradle
    directory: /
    schedule: { interval: weekly }
  - package-ecosystem: github-actions
    directory: /
    schedule: { interval: weekly }

This delivers both security updates for vulnerable libraries and routine version bumps for the catalog and the workflow actions.

3. Dependency Review on PRs

actions/dependency-review-action comments on PRs that introduce dependencies with known CVEs or unwanted licenses:

name: Dependency review
on: [pull_request]
permissions: { contents: read }
jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/dependency-review-action@v4

4. CodeQL code scanning

CodeQL supports Kotlin/Java. A standard github/codeql-action workflow on push/PR + weekly cron gives static analysis findings in the Security tab. For a demo app the finding rate will be low, but it also scans the workflow files themselves (actions queries) and is free.

5. Gradle wrapper validation

The repo ships gradle-wrapper.jar binaries. gradle/actions/wrapper-validation@v4 verifies their checksums against official Gradle releases on every PR — a tampered wrapper JAR is a classic supply-chain attack on Android repos, and reviewers cannot eyeball a JAR diff.

6. Repo settings (no workflow needed)

  • Enable secret scanning + push protection (Settings → Code security). The build expects an apiKey in local.properties; push protection catches contributors accidentally committing real keys.
  • Optionally enable private vulnerability reporting so researchers can report issues non-publicly.

Suggested rollout order

  1. Workflow hardening + wrapper validation (small PRs, immediate risk reduction)
  2. Dependabot config (after Enhancement: Migrate to Gradle Version Catalog (libs.versions.toml) #189 merges, so it watches the catalog)
  3. Dependency review + CodeQL
  4. Repo settings toggles (maintainer-only, no PR possible)

Happy to send PRs for items 1–3 if this direction looks good.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions