fix(ci): harden all workflows per zizmor audit#105
Merged
Conversation
- Pin all action references to commit SHAs (31 unpinned-uses resolved) - Add explicit least-privilege permissions at workflow and job level - Set persist-credentials: false on every checkout step - Scope release.yaml permissions per job instead of workflow-level - Delete legacy publish_pypi.yaml (redundant with release.yaml trusted publishing) - Suppress pull_request_target warning in labeler.yaml (correct usage) Reduces zizmor findings from 75 (36 high) to 1 acceptable warning (codecov secret outside dedicated environment).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #105 +/- ##
=======================================
Coverage 95.63% 95.63%
=======================================
Files 8 8
Lines 1719 1719
=======================================
Hits 1644 1644
Misses 75 75 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Rewrite README with proper badges, description, quick start, and uv dev setup - Update all URLs from NREL/plexosdb to NatLabRockies/plexosdb (README + pyproject.toml) - Add .prettierrc.yaml (printWidth: 80, proseWrap: always) - Add prettier hook for markdown in pre-commit config - Migrate pre-commit-hooks from GitHub repo to builtin - Add extra builtin hooks (detect-private-key, no-commit-to-branch, check-xml, etc.) - Reformat all markdown docs with prettier
- Replace pre-commit with prek in dev dependencies - Rename CI job from pre-commit to prek, use prek run command - Update README developer setup to use prek install
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissionsat workflow and job level across all workflowspersist-credentials: falseon every checkout step (9 total)release.yamlpermissions per job instead of broad workflow-level grantspublish_pypi.yaml(redundant withrelease.yamltrusted publishing)pull_request_targetwarning inlabeler.yaml(correct usage pattern)Motivation
zizmoraudit flagged 75 findings (36 high, 11 medium, 9 low, 1 info) across 6 workflow files. After this PR: 1 acceptable warning (codecov secret outside dedicated environment).Files Changed
CI.yamlpermissions: {}top-level, job-levelcontents: read,persist-credentials: falsecommit.yamlpermissions: {}top-level, job-levelcontents: read,persist-credentials: falsedocs.yamlpermissions: contents: write,persist-credentials: falselabeler.yamlpersist-credentials: false,zizmor: ignore[dangerous-triggers]publish_pypi.yamlrelease.yamltrusted publishing)release.yamlpermissions: {}top-level, per-job least-privilege,persist-credentials: falsePlan:
docs/plans/2026-03-15-zizmor-ci-hardening.md