Harden workflows: env-var PR refs and disable checkout credential persistence#58
Merged
Conversation
The Resolve refs and Compare artifacts steps interpolated
github.event.pull_request.*.sha and the derived step outputs directly
into their run: scripts. GitHub substitutes ${{ }} into the script source
before bash runs, so these are template-injection sinks (flagged by
zizmor). The values are git SHAs today, but pass them through env: and
reference them as quoted shell variables so they are always treated as
data.
actions/checkout stores the GITHUB_TOKEN in .git/config by default, leaving a usable token on disk for later steps to read. None of these checkouts push or need git credentials afterward (the one git fetch targets this public repo), so set persist-credentials: false (flagged by zizmor as artipacked).
Artifact comparison0 modified · 0 added · 0 deleted · 96 unchanged Download report — HTML file; open in a browser. Compared
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The injection/token-hardening half of the zizmor cleanup (the SHA-pinning half landed in #55), in two commits:
check.yml) — theResolve refsandCompare artifactssteps interpolatedgithub.event.pull_request.*.shaand the derived step outputs straight into theirrun:scripts. Moved them intoenv:blocks referenced as quoted shell variables. The values are git SHAs, so the real risk was low, but this removes the injection sink and matches the pattern used for the changelog fix.artipacked— addedpersist-credentials: falseto everyactions/checkout(7 across the four workflows). None of them push or use git credentials in a later step, so there's no reason to leave the token in.git/config.Why
Both reduce what a compromised step could reach: no
${{ }}reaching a shell as code, and no reusable token left on disk.Notes
git fetch(inResolve refs) targets this public repo, so it works fine without the persisted credential.persist-credentials: falsedoes not affect the initial checkout — the action still uses its token to clone; it just doesn't write it into.git/configfor later steps.Verification
actionlint: cleanzizmor:template-injectionandartipackedfindings both 0 (were 3 and 7). Remaining findings are theexcessive-permissionsset, which is the separate permissions-hardening PR.