Harden GitHub Actions workflows per zizmor audit#187
Merged
Conversation
|
|
- Pin every third-party action to a commit SHA (latest tagged release within its current major). Tag noted in trailing comment so future bumps stay reviewable. - Set persist-credentials: false on every actions/checkout invocation so the default GITHUB_TOKEN isn't left in the worktree for later steps to exfiltrate via artifacts or environment files. - Drop release.yml workflow-level contents: write to contents: read and re-grant contents: write only on the release job that publishes. - Add an explicit permissions: contents: read block to test-install.yml, which previously inherited overly broad default token permissions. Resolves all zizmor errors and warnings; only an info-level suggestion to replace softprops/action-gh-release with a `gh release` script step remains, which is out of scope for this hardening pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- actions/checkout v4.3.1 → v6.0.2 (de0fac2e) - actions/upload-artifact v4.6.2 → v7.0.1 (043fb46d) - actions/download-artifact v4.3.0 → v8.0.1 (3e5f45b2) v6 of checkout, v7 of upload-artifact, and v7+ of download-artifact run on Node.js 24 and require Actions Runner ≥ 2.327.1, which the GitHub- hosted runners satisfy. download-artifact v8 also enforces hash checks by default — we want that. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sdairs
force-pushed
the
security/zizmor-workflow-hardening
branch
from
ac00cce to
36f8fe2
Compare
`gh` is pre-installed on every GitHub-hosted runner, so dropping the third-party action removes one external dependency from the release path. Tag and token come in via env vars (not direct expression expansion) to avoid the template-injection class of finding. Clears the last remaining zizmor info-level finding; the audit now reports zero findings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
iskakaushik
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Runs
zizmorover.github/workflows/and addresses every finding. No functional CI changes — purely supply-chain hardening.actions/checkout→de0fac2e4500dabe0009e67214ff5f5447ce83dd(v6.0.2)actions/upload-artifact→043fb46d1a93c77aae656e7c1c64a875d1fc6a0a(v7.0.1)actions/download-artifact→3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c(v8.0.1)Swatinem/rust-cache→e18b497796c12c097a38f9edb9d0641fb99eee32(v2.9.1)dtolnay/rust-toolchain→29eef336d9b2848a0b548edc03f92a220660cdb8(stable branch @ 2026-03-27)softprops/action-gh-releasein favour of agh release createscript step.ghis pre-installed on every GitHub-hosted runner, so removing the third-party action shrinks the release path's external dependency surface. Tag and token are passed via env vars rather than direct${{ }}expression expansion to keep us out of the template-injection class of issues.persist-credentials: falseon everyactions/checkoutinvocation. None of these jobs push via the defaultGITHUB_TOKEN, so leaving it in the worktree only widens the blast radius if a later step is compromised.release.yml: drop workflow-levelcontents: writetocontents: read; grantcontents: writeonly on thereleasejob that publishes.test-install.yml: add an explicit workflow-levelpermissions: contents: readblock — previously the workflow inherited overly broad default token permissions.The
checkoutv6 /upload-artifactv7 /download-artifactv7+ majors all require Actions Runner ≥ 2.327.1 (Node.js 24); GitHub-hosted runners satisfy this.download-artifactv8 also now defaults to erroring on artifact hash mismatch, which is the secure default we want.zizmor result after this PR
Merge cleanliness with open PRs
Only three open PRs touch any workflow file, and all touch only
cloud-integration.yml:cloud-integration.ymlagainstmain(predates this PR); this hardening does not introduce any additional workflow conflict.The other 12 open PRs don't touch
.github/workflows/at all.Test plan
zizmor .github/workflowsreports zero findings on the branchrelease.ymlis verified by the next tag push; behavioural changes are (a) the permissions split (releasejob retainscontents: write) and (b)gh release createreplacingsoftprops/action-gh-release— same inputs (auto-generated notes +release/*files)🤖 Generated with Claude Code