Skip to content

Harden GitHub Actions workflows with zizmor#32

Open
arash77 wants to merge 1 commit into
usegalaxy-eu:mainfrom
arash77:harden-github-actions-zizmor
Open

Harden GitHub Actions workflows with zizmor#32
arash77 wants to merge 1 commit into
usegalaxy-eu:mainfrom
arash77:harden-github-actions-zizmor

Conversation

@arash77

@arash77 arash77 commented Jun 9, 2026

Copy link
Copy Markdown
Member

Apply zizmor security best practices to all workflows.

See https://docs.zizmor.sh/

  • Add top-level permissions: {} to restrict default GITHUB_TOKEN scope
  • Add persist-credentials: false to checkout steps
  • Run zizmor-action on changes to GitHub workflows

- Add top-level permissions: {} to all workflows to restrict default GITHUB_TOKEN scope
- Add persist-credentials: false to all checkout steps to prevent credential leakage
- Create zizmor.yml config with ref-pin policy for action references
- Add zizmor CI workflow for automated security analysis of workflow files
- Existing dependabot.yml already covers monthly GitHub Actions updates
@arash77 arash77 force-pushed the harden-github-actions-zizmor branch from a74ba1b to 779ce9e Compare June 9, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants