Skip to content

Harden workflows: env-var PR refs and disable checkout credential persistence#58

Merged
djacu merged 2 commits into
mainfrom
harden/injection-defense-in-depth
Jul 6, 2026
Merged

Harden workflows: env-var PR refs and disable checkout credential persistence#58
djacu merged 2 commits into
mainfrom
harden/injection-defense-in-depth

Conversation

@djacu

@djacu djacu commented Jul 6, 2026

Copy link
Copy Markdown
Member

What

The injection/token-hardening half of the zizmor cleanup (the SHA-pinning half landed in #55), in two commits:

  1. Template injection (check.yml) — the Resolve refs and Compare artifacts steps interpolated github.event.pull_request.*.sha and the derived step outputs straight into their run: scripts. Moved them into env: blocks referenced as quoted shell variables. The values are git SHAs, so the real risk was low, but this removes the injection sink and matches the pattern used for the changelog fix.
  2. Credential persistence — artipacked — added persist-credentials: false to every actions/checkout (7 across the four workflows). None of them push or use git credentials in a later step, so there's no reason to leave the token in .git/config.

Why

Both reduce what a compromised step could reach: no ${{ }} reaching a shell as code, and no reusable token left on disk.

Notes

  • The one git fetch (in Resolve refs) targets this public repo, so it works fine without the persisted credential.
  • persist-credentials: false does not affect the initial checkout — the action still uses its token to clone; it just doesn't write it into .git/config for later steps.

Verification

  • actionlint: clean
  • zizmor: template-injection and artipacked findings both 0 (were 3 and 7). Remaining findings are the excessive-permissions set, which is the separate permissions-hardening PR.

djacu added 2 commits July 5, 2026 20:41
The Resolve refs and Compare artifacts steps interpolated
github.event.pull_request.*.sha and the derived step outputs directly
into their run: scripts. GitHub substitutes ${{ }} into the script source
before bash runs, so these are template-injection sinks (flagged by
zizmor). The values are git SHAs today, but pass them through env: and
reference them as quoted shell variables so they are always treated as
data.
actions/checkout stores the GITHUB_TOKEN in .git/config by default,
leaving a usable token on disk for later steps to read. None of these
checkouts push or need git credentials afterward (the one git fetch
targets this public repo), so set persist-credentials: false (flagged by
zizmor as artipacked).
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: 8118835dda1da2ebc0f5d54aee79bb288cf8a343 (current main tip when this ran)
  • After: 25144b7ae77a03b1ea76720d8ad0cd74b900a8c8 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 3b1b29c into main Jul 6, 2026
5 checks passed
@djacu djacu deleted the harden/injection-defense-in-depth branch July 6, 2026 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant