fix: harden GitHub Actions workflows against zizmor findings#3260
Open
migmartri wants to merge 2 commits into
Open
fix: harden GitHub Actions workflows against zizmor findings#3260migmartri wants to merge 2 commits into
migmartri wants to merge 2 commits into
Conversation
Fix all high-severity and artipacked findings from zizmor audit: - template-injection (6 high): route github.ref_name through env vars in release.yaml steps instead of inline interpolation in run blocks - github-app (1 high): scope create-github-app-token permissions with permission-contents/permission-metadata inputs, upgrade to v3.2.0 - cache-poisoning (1 high): disable setup-go cache in release job - artipacked (14 medium): add persist-credentials: false to all actions/checkout steps that don't need git push Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Fix all 7 ref-version-mismatch findings from zizmor audit: - lint.yml (3x): fix golangci-lint-action comment from 9.2.0 to v9.2.0 - scorecards.yml (2x): fix scorecard-action comment from v2.3.1 to v2.4.0 and upload-artifact comment from v3.1.3 to v4.3.3 (hashes were already correct, comments were stale) - release.yaml: re-pin cosign-installer from a main branch commit to v3.2.0 (the closest stable tag after the pinned commit from Sept 2023) - test.yml: re-pin ent/contrib/ci from a master branch commit to v0.5.0 (the closest stable tag after the pinned commit from Sept 2023) Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
matiasinsaurralde
approved these changes
Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes all high-severity and artipacked findings (22 of 47) from a zizmor v1.26.1 audit of the GitHub Actions workflows.
High severity (8 findings)
Template injection (6) —
release.yamlThe release workflow interpolates
github.ref_namedirectly intorun:blocks across 5 steps (SBOM upload, source code download, version bump scripts, release notes update). Tag names are not shell-sanitized and the release job holdscontents: write/packages: write/id-token: write. Routed all occurrences throughRELEASE_TAGenv vars instead of inline${{ }}expansion.GitHub App token (1) —
scm_configuration_check.yamlactions/create-github-app-tokenwas called without scoping permissions, so the minted token inherited the app's full installation permissions. Upgraded to v3.2.0 and addedpermission-contents: read/permission-metadata: readinputs.Cache poisoning (1) —
release.yamlactions/setup-gohad caching enabled by default in the publishing job. Setcache: falseto eliminate the cache-poisoning vector for release builds.Artipacked (14 findings)
Added
persist-credentials: falseto everyactions/checkoutstep across 10 workflow files that does not require git push. The release job's checkout is also set tofalsesincepeter-evans/create-pull-requesthandles its own authentication via its token input.Assisted-by: Claude Code