Skip to content

ci: harden actions#16810

Merged
ematipico merged 3 commits into
mainfrom
ci/harden-security
May 20, 2026
Merged

ci: harden actions#16810
ematipico merged 3 commits into
mainfrom
ci/harden-security

Conversation

@ematipico

@ematipico ematipico commented May 20, 2026
edited
Loading

Copy link
Copy Markdown
Member

Changes

This PR adds:

  • zizmor to our CI to check for incorrect usage of our workflows. As for now, I tuned the tool to target high confidence and high severity
  • I run the tool in our actions, and applied the suggestions
    • removed an action from our preview release
    • removed a possible template injection

There's still a warning

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
  --> .github/workflows/format.yml:12:11
   |
12 |     uses: withastro/automation/.github/workflows/format.yml@497c9268ad4267c842a8f6c4d830ad0182d6f6b3 # main
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
...
15 |     secrets: inherit
   |     ---------------- inherits all parent secrets
   |
   = note: audit confidence → High

However it's not easy fixable at the moment

Note

I plan to address even warnings, but for now I'll focus on high profile errors.

Testing

Green CI

Docs

@changeset-bot

changeset-bot Bot commented May 20, 2026
edited
Loading

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 2968569

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions github-actions Bot added the 🚨 action Modifies GitHub Actions label May 20, 2026
@github-advanced-security

github-advanced-security AI commented May 20, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

matthewp
matthewp reviewed May 20, 2026
View reviewed changes
Comment thread .github/workflows/issue-needs-repro.yml Outdated
@ematipico ematipico requested a review from matthewp May 20, 2026 15:22
@ematipico ematipico force-pushed the ci/harden-security branch from 1ec7135 to 2968569 Compare May 20, 2026 15:23
@ematipico ematipico merged commit e2d2ec7 into main May 20, 2026
24 checks passed
@ematipico ematipico deleted the ci/harden-security branch May 20, 2026 15:37
@matthewp matthewp mentioned this pull request May 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ocavue ocavue ocavue left review comments

@matthewp matthewp matthewp approved these changes

Assignees

No one assigned

Labels

🚨 action Modifies GitHub Actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ematipico @github-advanced-security @matthewp @ocavue