Skip to content

Harden GitHub Actions with zizmor#158

Merged
bkontur merged 4 commits into
devfrom
harden-ci
Jun 11, 2026
Merged

Harden GitHub Actions with zizmor#158
bkontur merged 4 commits into
devfrom
harden-ci

Conversation

@franciscoaguirre

@franciscoaguirre franciscoaguirre commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Audited all github workflows with zizmor and fixed a bunch of issues. 179 findings -> 0 (17 documented exceptions).

  • /cmd bot: org-members-only (dropped PR-author path), scoped the GitHub App tokens (members: read / contents: write, were full-installation), least-privilege per job.
  • Minimal permissions: on all workflows; deploy-ui pages/id-token moved to its deploy job.
  • Template-injection closed via env-indirection (workflows + 4 composite actions).
  • persist-credentials: false on non-pushing checkouts; dependabot cooldown.
  • New zizmor.yml CI gate + .github/zizmor.yml (keeps this from regressing).

@franciscoaguirre
ci: harden GitHub Actions against fork-based attacks (zizmor)
2b2f150 
Audited all workflows with zizmor and fixed fork-exploitable issues.
179 findings -> 0 (17 documented exceptions).

- /cmd bot: org-members-only (dropped PR-author path), scoped the GitHub
  App tokens (members: read / contents: write, were full-installation),
  least-privilege per job.
- Minimal permissions: on all workflows; deploy-ui pages/id-token moved to
  its deploy job.
- Template-injection closed via env-indirection (workflows + 4 composite
  actions).
- persist-credentials: false on non-pushing checkouts; dependabot cooldown.
- New zizmor.yml CI gate + .github/zizmor.yml (keeps this from regressing).
@franciscoaguirre franciscoaguirre changed the title ci: harden GitHub Actions against fork-based attacks (zizmor) Harden GitHub Actions with zizmor Jun 11, 2026
@franciscoaguirre franciscoaguirre marked this pull request as ready for review June 11, 2026 03:15
bkontur
bkontur reviewed Jun 11, 2026
View reviewed changes
Comment thread .github/workflows/release.yml Outdated
@bkontur bkontur mentioned this pull request Jun 11, 2026
Merged
@bkontur
ci(release): use gh CLI instead of softprops/action-gh-release
4979fce 
Replace the third-party release action with the runner's preinstalled gh
CLI (gh release create). The job already holds contents: write, so the
action added supply-chain surface for functionality the runner provides
natively. This also removes zizmor's superfluous-actions finding at the
source, so the malformed inline ignore comment is no longer needed.
@bkontur bkontur enabled auto-merge (squash) June 11, 2026 09:28
@bkontur bkontur merged commit 065e2af into dev Jun 11, 2026
29 checks passed
@bkontur bkontur deleted the harden-ci branch June 11, 2026 10:03
@danielbui12

danielbui12 commented Jun 11, 2026

Copy link
Copy Markdown
Member

@bkontur @franciscoaguirre some how the cmd bot does not work anymore #163 (comment)

@franciscoaguirre

franciscoaguirre commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator Author

@danielbui12 looking into it

@franciscoaguirre franciscoaguirre mentioned this pull request Jun 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bkontur bkontur bkontur approved these changes

@karolk91 karolk91 Awaiting requested review from karolk91

@ilchu ilchu Awaiting requested review from ilchu

@danielbui12 danielbui12 Awaiting requested review from danielbui12

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@franciscoaguirre @danielbui12 @bkontur