ci: add zizmor and fix GHA security findings#2632
ci: add zizmor and fix GHA security findings#2632theakshaypant merged 1 commit intotektoncd:mainfrom
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
faef6dc to
358b020
Compare
|
Do not have permission to configure env in the repo :/ |
|
ah i didn't see this as i started as well, you can pickup that change that add it in linter.yaml i guess instead of using a GHA for that (which we try to avoid, we rather use pac and it consumes GHA org resources)
|
358b020 to
1730c79
Compare
|
/retest linters |
Add zizmor linter step to the Tekton linter pipeline and a
.github/zizmor.yml config to suppress false positives for e2e.yaml.
Fix expression injection in container.yaml by replacing
${{ github.ref_name }} and ${{ github.ref }} with env vars in run
scripts. Add persist-credentials: false to all checkout steps and
minimal permissions blocks to e2e-tests and notify-slack jobs.
Move secrets from $GITHUB_ENV writes to step-level env blocks and
use step outputs instead of $GITHUB_ENV for smee URLs.
Co-authored-by: Chmouel Boudjnah <chmouel@redhat.com>
Signed-off-by: Akshay Pant <akpant@redhat.com>
1730c79 to
a5d1cf1
Compare
Incorporated these changes in a5d1cf1 |
|
were you able to test the change on your fork? feel to merge it but if it breaks stuff be ready to revert it quickly |
Yes, tested the zizmor step, linters pr will fail listing the issues with the workflow 
|
📝 Description of the Change
Add zizmor linter step to the Tekton linter pipeline and a
.github/zizmor.yml config to suppress false positives for e2e.yaml.
Fix expression injection in container.yaml by replacing
${{ github.ref_name }} and ${{ github.ref }} with env vars in run
scripts. Add persist-credentials: false to all checkout steps and
minimal permissions blocks to e2e-tests and notify-slack jobs.
Move secrets from $GITHUB_ENV writes to step-level env blocks and
use step outputs instead of $GITHUB_ENV for smee URLs.
Results
80 findings (13 suppressed, 11 fixable): 2 informational, 0 low, 55 medium, 10 highNo findings to report. Good job! (50 ignored, 15 suppressed)🔗 Linked GitHub Issue
Fixes #2613
🧪 Testing Strategy
🤖 AI Assistance
AI assistance can be used for various tasks, such as code generation,
documentation, or testing.
Please indicate whether you have used AI assistance
for this PR and provide details if applicable.
Important
Slop will be simply rejected, if you are using AI assistance you need to make sure you
understand the code generated and that it meets the project's standards. you
need at least know how to run the code and deploy it (if needed). See
startpaac to make it easy
to deploy and test your code changes.
If the majority of the code in this PR was generated by an AI, please add a
Co-authored-bytrailer to your commit message.For example:
Co-authored-by: Claude noreply@anthropic.com
✅ Submitter Checklist
fix:,feat:) matches the "Type of Change" I selected above.make testandmake lintlocally to check for and fix anyissues. For an efficient workflow, I have considered installing
pre-commit and running
pre-commit installtoautomate these checks.