🩹[Patch]: Fix unconditional secrets inheritance warning in Process-PSModule workflow #136
Description
Summary
Errors were found during linting of GITHUB_ACTIONS_ZIZMOR. See logs below:
2026-01-23 00:22:52 [INFO] Linting GITHUB_ACTIONS_ZIZMOR items...
Error: -23 00:22:53 [ERROR] Found errors when linting GITHUB_ACTIONS_ZIZMOR. Exit code: 1.
2026-01-23 00:22:53 [INFO] Command output for GITHUB_ACTIONS_ZIZMOR:
------
warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> /github/workspace/.github/workflows/Process-PSModule.yml:30:11
|
30 | uses: PSModule/Process-PSModule/.github/workflows/workflow.yml@be7d5dcbceec14855d325fdd34f2a7c2f05a7f57 # v5.4.1
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
31 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit
Steps to Reproduce
- Run the GITHUB_ACTIONS_ZIZMOR linter on the repository workflows.
- Inspect the error output above for details.
Expected Behavior
No lint errors should be found related to unconditional secrets inheritance in workflow calls.
Suggested Fix
- Update ".github/workflows/Process-PSModule.yml" to prevent unconditional inheritance of secrets.
- Review reusable workflow invocation at line 30 and use selective secrets passing if possible. Requires the GITHUB_TOKEN only it seems.
- Document changes and verify lint passes cleanly.
For more details, refer to the audit documentation.
References
- Job context: See job with ref:
- Audit: https://docs.zizmor.sh/audits/#secrets-inherit
Metadata
Metadata
Assignees
Labels
No labels