Background
Following the April 2026 Bitwarden CLI compromise — the latest instalment of the ongoing Shai-Hulud / Checkmarx supply chain campaign — this issue captures hardening items for JIM's CI/CD pipeline. The campaign self-replicates by stealing GitHub tokens from compromised npm packages and writing malicious workflow files (shai-hulud-workflow.yml) into every repo the token can reach.
JIM's current posture is strong (SHA-pinned actions throughout, minimal permissions: blocks, no pull_request_target / workflow_run triggers, no npm supply chain in production paths, CodeQL scanning of workflows), but there are residual hardening opportunities worth addressing.
Hardening checklist
Reference
Background
Following the April 2026 Bitwarden CLI compromise — the latest instalment of the ongoing Shai-Hulud / Checkmarx supply chain campaign — this issue captures hardening items for JIM's CI/CD pipeline. The campaign self-replicates by stealing GitHub tokens from compromised npm packages and writing malicious workflow files (
shai-hulud-workflow.yml) into every repo the token can reach.JIM's current posture is strong (SHA-pinned actions throughout, minimal
permissions:blocks, nopull_request_target/workflow_runtriggers, no npm supply chain in production paths, CodeQL scanning of workflows), but there are residual hardening opportunities worth addressing.Hardening checklist
Require approval for first-time contributors on Actions
Confirm Settings → Actions → General → "Require approval for all outside collaborators" (or stricter) is enabled. Primary defence against a drive-by fork PR that modifies a workflow file to exfiltrate secrets.
Tag-creation ruleset on
v*The release workflow triggers on
pushofv*tags and can publish Docker images to ghcr.io and the PowerShell module to PSGallery. Restrict who can push release tags (ruleset scoped torefs/tags/v*) and require signed commits on theVERSIONbump commit.Environment protection for PSGallery publish
Put `PSGALLERY_API_KEY` behind a GitHub deployment environment with required reviewers. The `publish-powershell` job in release.yml would then require an approver before publish. Costs nothing operationally; stops a hijacked tag push from auto-publishing to PSGallery.
Extend artifact attestations beyond Docker images
Docker images already get SLSA provenance and SBOM attestations via `actions/attest-build-provenance`. Extend the same treatment to the release bundle (`jim-release-.tar.gz`) and the PowerShell module. See Artifact attestations — GitHub Docs.
Document the stolen-PAT threat in the threat model
Add a short section to `engineering/DEVELOPER_GUIDE.md` (or the security section) covering: developer laptops holding JIM-scoped PATs should use fine-grained tokens with least privilege (avoid broad `repo` + `workflow` scope on classic PATs); prefer SSH keys for git access; and do not reuse PATs across personal and JIM work. Unrelated npm tooling on a dev laptop is the most likely exfiltration path for a stolen JIM token.
Dependabot action-bump review procedure
When Dependabot opens a `github-actions` ecosystem bump, verify the new commit SHA against the upstream action's release page (not just the tag). Update the `/review-dependabot` skill (or add a note to `engineering/DEVELOPER_GUIDE.md`) to call this out explicitly. Rationale: the Shai-Hulud vector is a tag swap; SHA pinning defeats it only if the SHA we pin to is genuinely the one the maintainer intended.
Reference