Scan GitHub Actions workflows with zizmor#526
Open
hocinehacherouf wants to merge 5 commits into
Open
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Resolve all findings reported by the zizmor scan: - Pin every action to a full commit SHA (unpinned-uses) - Move workflow_dispatch inputs into env vars in run steps to prevent template injection (hotfix.yml, tag.yml) - Add least-privilege job-level permissions blocks - Set persist-credentials: false on read-only checkouts (build, release, security) - Remove Maven caching from release.yml to avoid cache poisoning in the publish pipeline Document the three accepted exceptions with justified ignore comments: artipacked on the hotfix/tag checkouts (persisted credentials required to push) and superfluous-actions on ncipollo/release-action (allowUpdates has no single-command gh release equivalent).
- release.yml: move the superfluous-actions ignore onto the uses line so zizmor honors it in SARIF output (the action's zizmor 1.24.1 only matches an ignore on the exact finding line, unlike newer versions) - dependabot.yml: add a 7-day cooldown to the maven and github-actions ecosystems (dependabot-cooldown)
hocinehacherouf
marked this pull request as ready for review
July 1, 2026 09:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #525
What
Adds a
zizmorworkflow that statically audits our GitHub Actions forsupply-chain and misconfiguration issues (unpinned actions, overbroad token
scopes, template-injection sinks, credential persistence) and uploads SARIF to
the Security tab, mirroring how Trivy scans source code.
To land the scan green, this PR also remediates every finding zizmor reports
across the existing workflows.
Changes
New
.github/workflows/zizmor.yml: runszizmorcore/zizmor-actionon PRstouching
.github/workflows/**, on push tomain, weekly, and viaworkflow_dispatch. SARIF goes to the Security tab.Hardening of existing workflows
unpinned-uses)permissions:blocks to every job (excessive-permissions)workflow_dispatchinputs intoenv:vars inrun:steps to preventshell injection (
template-injectioninhotfix.ymlandtag.yml)persist-credentials: falseon read-only checkouts (artipacked)release.yml, since a publish pipeline shouldn'trestore a potentially poisoned cache (
cache-poisoning)cooldownfor the maven and github-actionsecosystems (
dependabot-cooldown)Accepted findings (documented inline via
# zizmor: ignore[...])artipackedon thehotfix.ymlandtag.ymlcheckouts: persistedcredentials are required to push the branch, tag, and commit.
superfluous-actionsonncipollo/release-action: kept for itsallowUpdatessupport, whichgh releasecan't replicate in one command.Notes
v0.5.7ships zizmor1.26.1); Dependabot will bump it going forward.zizmor 1.26.1over the repo reports No findings (3 ignored,29 suppressed).