gh-actions: improve security with zizmor linter#11000
gh-actions: improve security with zizmor linter#11000maennchen wants to merge 9 commits intoerlang:masterfrom
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
CT Test Results 1 files 11 suites 3m 25s ⏱️ Results for commit d29fee8. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
maennchen
force-pushed
the
gh-actions-imp
branch
3 times, most recently
from
1af5fd6 to
b61dcd0
Compare
rickard-green
added
team:VM
|
Thanks for this improvement! Looks good, I have just one small nitpick. Is there a reason you put Best regards, |
|
@Whaileee I have not given it any thought. I usually put them after. I'll amend the commit so they're always before. |
Prevent credential persistence through GitHub Actions artifacts by setting persist-credentials: false on actions/checkout steps. The renovate-vendored-deps workflow is excluded because it needs credentials for git push operations. See: https://docs.zizmor.sh/audits/#artipacked
Pass template expressions through environment variables instead of direct interpolation in run blocks to improve static analysis. See: https://docs.zizmor.sh/audits/#template-injection
workflow_run is required to comment on PRs from forks with write permissions. Document why this is safe and warn about future changes. See: https://docs.zizmor.sh/audits/#dangerous-triggers
Windows CMD shell is needed to test Windows-specific behavior. See: https://docs.zizmor.sh/audits/#misfeature
Use the built-in gh CLI instead of a third-party action. See: https://docs.zizmor.sh/audits/#superfluous-actions
TODO: Add dedicated environments for secrets used in cross-repo triggers and bot authentication. See: https://docs.zizmor.sh/audits/#secrets-outside-env
Update version comments to match the actual commit SHA tags. See: https://docs.zizmor.sh/audits/#ref-version-mismatch
Zizmor is a GitHub Actions security linter. See: https://docs.zizmor.sh/
maennchen
force-pushed
the
gh-actions-imp
branch
from
b61dcd0 to
d29fee8
Compare
5 participants
Add security improvements to GitHub Actions workflows based on findings from zizmor, a GitHub Actions security linter.
Please review the individual commits for details on each change:
persist-credentials: falseto checkout stepsworkflow_runtrigger safety in pr-comment.yamlsecrets-inheritfor internal trusted workflowsoftprops/action-gh-releasewithghCLIsecrets-outside-envrule (TODO: add dedicated environments)Similar changes have already been applied to:
I would recommend also adding them to "Require code scanning results" in your PR Branch Rulesets in the GitHub Settings.