Skip to content

Commit a74ba1b

Browse files
committed
chore(security): harden GitHub Actions workflows with zizmor
- Add top-level permissions: {} to all workflows to restrict default GITHUB_TOKEN scope - Add persist-credentials: false to all checkout steps to prevent credential leakage - Create zizmor.yml config with ref-pin policy for action references - Add zizmor CI workflow for automated security analysis of workflow files - Existing dependabot.yml already covers monthly GitHub Actions updates
1 parent 03370ad commit a74ba1b

6 files changed

Lines changed: 59 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,11 @@ updates:
3131
schedule:
3232
interval: "monthly"
3333
open-pull-requests-limit: 10
34+
cooldown:
35+
default-days: 7
36+
semver-major-days: 30
37+
semver-minor-days: 7
38+
semver-patch-days: 3
3439
groups:
3540
actions:
3641
patterns:

.github/workflows/citation_bot.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
required: false
1212
default: "5"
1313

14+
permissions: {}
15+
1416
jobs:
1517
citation-bot:
1618
runs-on: ubuntu-latest
@@ -20,6 +22,8 @@ jobs:
2022
steps:
2123
- name: Checkout
2224
uses: actions/checkout@v6
25+
with:
26+
persist-credentials: false
2327

2428
- name: Set up Python
2529
uses: actions/setup-python@v6
@@ -38,6 +42,8 @@ jobs:
3842
private-key: ${{ secrets.APP_PRIVATE_KEY }}
3943
owner: "usegalaxy-eu"
4044
repositories: "galaxy-social"
45+
permission-contents: write
46+
permission-pull-requests: write
4147

4248
- name: Run python script
4349
env:

.github/workflows/feed_bot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ on:
1515
required: false
1616
type: boolean
1717

18+
permissions: {}
19+
1820
jobs:
1921
feed-bot:
2022
runs-on: ubuntu-latest
@@ -24,6 +26,8 @@ jobs:
2426
steps:
2527
- name: Checkout
2628
uses: actions/checkout@v6
29+
with:
30+
persist-credentials: false
2731

2832
- name: Set up Python
2933
uses: actions/setup-python@v6
@@ -42,6 +46,8 @@ jobs:
4246
private-key: ${{ secrets.APP_PRIVATE_KEY }}
4347
owner: "usegalaxy-eu"
4448
repositories: "galaxy-social"
49+
permission-contents: write
50+
permission-pull-requests: write
4551

4652
- name: Run python script for RSS/Atom feeds
4753
env:
@@ -65,6 +71,8 @@ jobs:
6571
steps:
6672
- name: Checkout
6773
uses: actions/checkout@v6
74+
with:
75+
persist-credentials: false
6876

6977
- name: Keep the repository alive
7078
run: |

.github/workflows/youtube_bot.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
required: false
1212
default: "5"
1313

14+
permissions: {}
15+
1416
jobs:
1517
youtube-bot:
1618
runs-on: ubuntu-latest
@@ -20,6 +22,8 @@ jobs:
2022
steps:
2123
- name: Checkout
2224
uses: actions/checkout@v6
25+
with:
26+
persist-credentials: false
2327

2428
- name: Set up Python
2529
uses: actions/setup-python@v6
@@ -38,6 +42,8 @@ jobs:
3842
private-key: ${{ secrets.APP_PRIVATE_KEY }}
3943
owner: "usegalaxy-eu"
4044
repositories: "galaxy-social"
45+
permission-contents: write
46+
permission-pull-requests: write
4147

4248
- name: Run python script
4349
env:

.github/workflows/zizmor.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: GitHub Actions Security Analysis with zizmor
2+
3+
on:
4+
push:
5+
paths:
6+
- '.github/workflows/*'
7+
pull_request:
8+
paths:
9+
- '.github/workflows/*'
10+
11+
permissions: {}
12+
13+
jobs:
14+
zizmor:
15+
name: Run zizmor
16+
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
19+
actions: read
20+
steps:
21+
- name: Checkout repository
22+
uses: actions/checkout@v6
23+
with:
24+
persist-credentials: false
25+
26+
- name: Run zizmor
27+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
28+
with:
29+
advanced-security: false

zizmor.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
rules:
2+
unpinned-uses:
3+
config:
4+
policies:
5+
'*': ref-pin

0 commit comments

Comments
 (0)