Skip to content

fix: harden GitHub Actions workflows#2

Merged
Dale Bustad (divmain) merged 1 commit into
mainfrom
fix/zizmor-workflow-security
Mar 25, 2026
Merged

fix: harden GitHub Actions workflows#2
Dale Bustad (divmain) merged 1 commit into
mainfrom
fix/zizmor-workflow-security

Conversation

@reberhardt7

@reberhardt7 Ryan Eberhardt (reberhardt7) commented Mar 25, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add restrictive permissions: {} at workflow level with minimal per-job grants (contents: read for CI, checks: read for check-ci, id-token: write + contents: read for release)
  • Upgrade actions/checkout to v6.0.2 with persist-credentials: false in both workflows to prevent credential persistence (artipacked)
  • Remove explicit npm cache (cache: 'npm') from release workflow's setup-node step to mitigate cache-poisoning on tag-push triggers

- Add restrictive permissions: workflow-level `permissions: {}` with
  minimal per-job grants (contents:read for CI, checks:read for
  check-ci, id-token:write+contents:read for release)
- Upgrade actions/checkout to v6.0.2 with persist-credentials: false
  in both CI and release workflows to prevent credential leakage
- Remove explicit npm cache from release workflow setup-node step
  to mitigate cache-poisoning risk on tag-push triggers

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub/​actions/​checkout@​ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd100 +1100100100100

View full report

@socket-security-staging

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub/​actions/​checkout@​ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd92 -7100100100100

View full report

@reberhardt7 Ryan Eberhardt (reberhardt7) changed the title fix: harden GitHub Actions workflows (zizmor) fix: harden GitHub Actions workflows Mar 25, 2026
@divmain Dale Bustad (divmain) merged commit 98abed1 into main Mar 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants