Skip to content

chore: workflow hardening — pinact + zizmor [automated]#1

Open
infra-hardening[bot] wants to merge 1 commit into
mainfrom
workflow-hardening/zizmor-2026-06-19
Open

chore: workflow hardening — pinact + zizmor [automated]#1
infra-hardening[bot] wants to merge 1 commit into
mainfrom
workflow-hardening/zizmor-2026-06-19

Conversation

@infra-hardening

Copy link
Copy Markdown

Automated workflow hardening

This PR was generated by the pt-infra-hardening pipeline.

Changes

No mechanical fixes were applied. Inert marker comments were added to the affected workflow files to carry the findings listed below.

⚠️ Needs human attention

These findings could not be fixed automatically and need a maintainer's decision:

  • .github/workflows/release.yml:42github-app: The actions/create-github-app-token step mints a token that inherits blanket installation permissions; review whether the token scope should be restricted with repositories or permissions inputs. → https://docs.zizmor.sh/audits/#github-app

    Once reviewed and accepted, prevent future runs from re-flagging this by adding an inline suppression comment on the offending line in .github/workflows/release.yml:

    # zizmor: ignore[github-app] <your reason here>
  • .github/workflows/semantic-check.yml:2dangerous-triggers: pull_request_target gives the workflow write access to the base repository and to secrets, making it dangerous if the workflow checks out and runs code from a fork PR; review whether pull_request can be used instead. → https://docs.zizmor.sh/audits/#dangerous-triggers

    Once reviewed and accepted, prevent future runs from re-flagging this by adding an inline suppression comment on the offending line in .github/workflows/semantic-check.yml:

    # zizmor: ignore[dangerous-triggers] <your reason here>

Suppressing findings

To prevent a finding from being flagged in future hardening runs — whether it was fixed automatically or flagged for manual review — add an inline comment on the relevant line:

# zizmor: ignore[<rule-name>] <your reason here>

Replace <rule-name> with the audit name (e.g. artipacked, secrets-inherit). See zizmor audit docs for all rule names.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants