Skip to content

fix: harden GitHub Actions workflows against zizmor findings#3260

Open
migmartri wants to merge 2 commits into
chainloop-dev:mainfrom
migmartri:fix/ci-zizmor-high-and-artipacked
Open

fix: harden GitHub Actions workflows against zizmor findings#3260
migmartri wants to merge 2 commits into
chainloop-dev:mainfrom
migmartri:fix/ci-zizmor-high-and-artipacked

Conversation

@migmartri

@migmartri migmartri commented Jul 3, 2026

Copy link
Copy Markdown
Member

Fixes all high-severity and artipacked findings (22 of 47) from a zizmor v1.26.1 audit of the GitHub Actions workflows.

High severity (8 findings)

Template injection (6)release.yaml
The release workflow interpolates github.ref_name directly into run: blocks across 5 steps (SBOM upload, source code download, version bump scripts, release notes update). Tag names are not shell-sanitized and the release job holds contents: write / packages: write / id-token: write. Routed all occurrences through RELEASE_TAG env vars instead of inline ${{ }} expansion.

GitHub App token (1)scm_configuration_check.yaml
actions/create-github-app-token was called without scoping permissions, so the minted token inherited the app's full installation permissions. Upgraded to v3.2.0 and added permission-contents: read / permission-metadata: read inputs.

Cache poisoning (1)release.yaml
actions/setup-go had caching enabled by default in the publishing job. Set cache: false to eliminate the cache-poisoning vector for release builds.

Artipacked (14 findings)

Added persist-credentials: false to every actions/checkout step across 10 workflow files that does not require git push. The release job's checkout is also set to false since peter-evans/create-pull-request handles its own authentication via its token input.

Assisted-by: Claude Code

Review in cubic

Fix all high-severity and artipacked findings from zizmor audit:

- template-injection (6 high): route github.ref_name through env vars
  in release.yaml steps instead of inline interpolation in run blocks
- github-app (1 high): scope create-github-app-token permissions with
  permission-contents/permission-metadata inputs, upgrade to v3.2.0
- cache-poisoning (1 high): disable setup-go cache in release job
- artipacked (14 medium): add persist-credentials: false to all
  actions/checkout steps that don't need git push

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 10 files

Re-trigger cubic

@migmartri migmartri requested a review from a team July 3, 2026 09:07
Fix all 7 ref-version-mismatch findings from zizmor audit:

- lint.yml (3x): fix golangci-lint-action comment from 9.2.0 to v9.2.0
- scorecards.yml (2x): fix scorecard-action comment from v2.3.1 to v2.4.0
  and upload-artifact comment from v3.1.3 to v4.3.3 (hashes were already
  correct, comments were stale)
- release.yaml: re-pin cosign-installer from a main branch commit to
  v3.2.0 (the closest stable tag after the pinned commit from Sept 2023)
- test.yml: re-pin ent/contrib/ci from a master branch commit to v0.5.0
  (the closest stable tag after the pinned commit from Sept 2023)

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants