🔒 ci(workflows): add zizmor security auditing#467
Conversation
74e30a6 to
983ed62
Compare
Add zizmor pre-commit hook to catch GitHub Actions security issues. Fix all existing findings: - template-injection: Move GitHub context to env vars - secrets-outside-env: Add environment declarations - dangerous-triggers: Replace pull_request_target with pull_request - bot-conditions: Use pull_request.user.login instead of github.actor - excessive-permissions: Move permissions to job level - superfluous-actions: Replace with native tools
983ed62 to
299ebeb
Compare
Most of Hopefully that's an acceptable tradeoff, but I think/hope it's worth mentioning. Refs:
|
|
Because I've been seeing this type of reconfiguration more frequently recently, I've opened a discussion related to it upstream at: https://github.com/orgs/zizmorcore/discussions/1898 |
GitHub Actions workflows were vulnerable to several security issues including template injection, credential exposure, and permission over-scoping. These vulnerabilities could allow attackers to execute arbitrary code or access sensitive tokens.
This change adds
zizmoras a pre-commit hook to continuously audit workflow security and fixes all existing vulnerabilities. The fixes include pinning actions to commit hashes, moving secrets to dedicated environments, isolating GitHub context from shell execution, and restricting permissions to the minimum required scope.All workflows now pass security audit with zero findings. Future workflow changes will be automatically checked before commit.