Skip to content

fix: harden GitHub Actions workflows#5

Merged
jdalton merged 1 commit intomainfrom
fix/zizmor-workflow-security
Apr 2, 2026
Merged

fix: harden GitHub Actions workflows#5
jdalton merged 1 commit intomainfrom
fix/zizmor-workflow-security

Conversation

@reberhardt7
Copy link
Copy Markdown
Contributor

@reberhardt7 reberhardt7 commented Mar 25, 2026
edited
Loading

Summary

  • Add workflow-level permissions: {} with per-job minimal permissions (contents: read for validate/test-e2e, contents: write for update)
  • Upgrade actions/checkout from v4 to v6.0.2 (SHA-pinned) across all jobs
  • Add persist-credentials: false to checkout steps in jobs that don't need git credentials (validate, test-e2e)
  • Disable secrets-outside-env zizmor rule via .github/zizmor.yml — secrets are already passed through env: vars, not interpolated in run: blocks

@reberhardt7 @claude
fix: harden GitHub Actions workflows (zizmor)
a74d577 
- Add workflow-level `permissions: {}` and per-job minimal permissions
  (contents: read for validate/test-e2e, contents: write for update)
- Upgrade actions/checkout from v4 to v6.0.2 (SHA-pinned)
- Add persist-credentials: false to checkout steps that don't need
  git credentials (validate, test-e2e jobs)
- Disable secrets-outside-env rule via .github/zizmor.yml (secrets are
  already passed through env vars, not run blocks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 25, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub/​actions/​checkout@​34e114876b0b11c390a56381ad16ebd13914f8d5 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd100 +1100100100100

View full report

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Mar 25, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub/​actions/​checkout@​34e114876b0b11c390a56381ad16ebd13914f8d5 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd92100100100100

View full report

@reberhardt7 reberhardt7 changed the title fix: harden GitHub Actions workflows (zizmor) fix: harden GitHub Actions workflows Mar 25, 2026
@jdalton jdalton merged commit 843f7d4 into main Apr 2, 2026
5 checks passed
@jdalton jdalton deleted the fix/zizmor-workflow-security branch April 2, 2026 06:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Wenxin-Jiang Wenxin-Jiang Wenxin-Jiang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reberhardt7 @Wenxin-Jiang @jdalton