Skip to content

Commit e522bdd

Browse files
authored
fix(ci): add persist-credentials: false and zizmor pedantic config (#69)
## Summary This patch series addresses GitHub Actions security findings in `chainguard-dev/clog` as part of the PSEC-923 hardening campaign. ## Patches ### 0001 — `fix(ci): add persist-credentials: false to checkout steps` Adds `persist-credentials: false` to the `actions/checkout` step in: - `.github/workflows/go.yml` — build/test job; no downstream git write operations The `zizmor.yaml` and `actionlint.yaml` workflows already had `persist-credentials: false` on their checkout steps. This patch completes coverage for the remaining workflow. Resolves: 1 `artipacked` finding (zizmor) ### 0002 — `fix(ci): add pedantic persona and suppress noisy zizmor rules` - Creates `.github/zizmor.yml` disabling three pedantic-only rules that have no direct security value (`anonymous-definition`, `concurrency-limits`) and configuring `dependabot-cooldown` to use a 3-day threshold. - Updates `.github/workflows/zizmor.yaml` to run zizmor with `persona: pedantic` so that all template expansions in `run:` blocks are checked, not just attacker-controlled ones. - Extends the `paths:` trigger in `zizmor.yaml` to include `.github/zizmor.yml` and `.github/dependabot.yml`, so that changes to those files trigger the zizmor check. Resolves: 3 `concurrency-limits` findings, 1 `anonymous-definition` finding, 2 `dependabot-cooldown` findings (all suppressed via config) ## Testing - Validate that the zizmor workflow runs on PRs touching `.github/zizmor.yml` and `.github/dependabot.yml`. - Confirm zizmor passes in pedantic mode with the new `.github/zizmor.yml` suppression config in place. Refs: PSEC-923
1 parent a29ba66 commit e522bdd

3 files changed

Lines changed: 16 additions & 0 deletions

File tree

.github/workflows/go.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ jobs:
2424
egress-policy: audit
2525

2626
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
27+
with:
28+
persist-credentials: false
2729

2830
- name: Set up Go
2931
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0

.github/workflows/zizmor.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,15 @@ on:
99
paths:
1010
- '.github/workflows/**'
1111
- '.github/actions/**'
12+
- '.github/zizmor.yml'
13+
- '.github/dependabot.yml'
1214
push:
1315
branches: ['main']
1416
paths:
1517
- '.github/workflows/**'
1618
- '.github/actions/**'
19+
- '.github/zizmor.yml'
20+
- '.github/dependabot.yml'
1721

1822
permissions: {}
1923

@@ -42,3 +46,5 @@ jobs:
4246

4347
- name: Run zizmor
4448
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
49+
with:
50+
persona: pedantic

.github/zizmor.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
rules:
2+
dependabot-cooldown:
3+
config:
4+
days: 3
5+
anonymous-definition:
6+
disable: true
7+
concurrency-limits:
8+
disable: true

0 commit comments

Comments
 (0)