Lock down github action permissions #23566
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KevinMind
force-pushed
the
kevinmind/addons/15312
branch
7 times, most recently
from
38b1562 to
a9df80f
Compare
KevinMind
requested review from
a team,
Copilot and
diox
and removed request for
a team
There was a problem hiding this comment.
Pull Request Overview
Lock down default GitHub Action permissions to {} and apply least-privilege patterns, while updating workflows to pin reusable actions, enforce credential handling, and add linting via Zizmor.
- Added
permissions: {}to workflows and called out only the needed secrets per job. - Pinned local composite actions (
context,login-docker,login-gar) to specific SHAs and removed their local definitions. - Introduced Zizmor linting in
docker-compose.tools.ymland updated Makefile to run both Actionlint and Zizmor.
Reviewed Changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| zizmor.yml | Introduce Zizmor lint rule for template injection |
| docs/topics/development/github_actions.md | Remove outdated docs for composite actions after workflow refactor |
| docker-compose.tools.yml | Refactor compose file with a base service and two lint services |
| Makefile-os | Add zizmor target and adjust Actionlint invocation |
| .github/workflows/*.yml | Add top-level permissions: {}, pin action versions, adjust checkout credentials |
| .github/actions/build-docker/action.yml | Pin Docker metadata action, streamline env usage for build steps |
Comments suppressed due to low confidence (4)
docker-compose.tools.yml:11
- The 'extends' key is not supported in Docker Compose v2+ specs. Consider using YAML anchors (x-extensions) or top-level 'x-' fields to DRY your service definitions instead.
extends: base
.github/workflows/draft_release.yml:78
- Using '<push_hero>' inserts a literal string instead of the variable value. Replace '<push_hero>' with '${push_hero}' to interpolate the input.
template=${template//\{\{GITHUB_USER\}\}/<push_hero>}
.github/actions/build-docker/action.yml:37
- The local 'context' action was removed in this PR. Update this step to pin the remote action (e.g., 'uses: mozilla/addons/.github/actions/context@') or restore the local definition.
uses: ./.github/actions/context
.github/workflows/_health_check.yml:32
- Changing the 'environment' inputs from 'production' to 'prod' is a breaking change for any callers. Ensure all workflow_call consumers and documentation are updated to the new keys.
- prod
a9df80f to
a9dc734
Compare
|
Stable. |
diox
reviewed
Jun 13, 2025
.github/workflows/ci.yml
Outdated
Comment on lines
328
to
341
| # - name: Slack Notification | ||
| # uses: mozilla/addons/.github/actions/slack-workflow-notification@f1d4daa008d908d52815aa41257db39b8cdef958 | ||
| # with: | ||
| # slack_token: ${{ secrets.SLACK_TOKEN }} | ||
| # slack_channel: ${{ vars.SLACK_ADDONS_PRODUCTION_CHANNEL }} | ||
| # emoji: ${{ steps.emoji.outputs.emoji }} | ||
| # actor: ${{ env.actor }} | ||
| # conclusion: ${{ matrix.result }} | ||
| # workflow_id: ${{ env.workflow_id }} | ||
| # workflow_url: ${{ env.workflow_url }} | ||
| # event: ${{ env.event }} | ||
| # env: ${{ env.env }} | ||
| # ref: ${{ matrix.ref }} | ||
| # ref_link: ${{ matrix.ref_link }} |
There was a problem hiding this comment.
I wanted to prevent actually sending any notifications. I will unblock now, though this won't run until after the PR lands.. technically possible to switch things up so that it would but it could trigger a dev deployment and probably not worth it.
There was a problem hiding this comment.
Added dry_run so we can see what is passed to the action without actually sending a notification in slack. working on the latest push of this branch
KevinMind
force-pushed
the
kevinmind/addons/15312
branch
4 times, most recently
from
6aac93d to
84d9bf9
Compare
KevinMind
force-pushed
the
kevinmind/addons/15312
branch
from
84d9bf9 to
bfcc78c
Compare
diox
approved these changes
Jun 18, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: mozilla/addons#15312
Description
Context
By locking down default permissions and adding them back on a job or even step level gives us the most granular and limited by default security model for GHA.
Ensuring a step/job/workflow can only do what it intends and should be allowed to do.
Testing
Tests Green
Checklist
#ISSUENUMat the top of your PR to an existing open issue in the mozilla/addons repository.