ci: fix zizmor audit findings by MarshallOfSound · Pull Request #4200 · electron/forge

MarshallOfSound · 2026-04-02T19:59:28Z

Fixes zizmor audit findings surfaced in the latest scheduled audit run.

Auto-fixes applied:

dependabot-cooldown: added 7-day default cooldown for github-actions updates
artipacked: added persist-credentials: false to all actions/checkout steps
cache-poisoning: added lookup-only: true to ESLint cache step
template-injection: moved steps.version.outputs.version into env var in release.yml

Manual fixes:

excessive-permissions: added top-level permissions: {} block to ci.yml, gh-pages.yml, and release.yml, plus minimal contents: read job-level grants where needed

Remaining (low-confidence) findings:

5 cache-poisoning warnings on actions/setup-node calls. These are flagged because the workflows are triggered by tag/branch pushes (publishing-style triggers). In ci.yml the cache is commented out, and in gh-pages.yml yarn caching is needed for the docs build. These have low audit confidence and are accepted as known.

MarshallOfSound and others added 3 commits April 2, 2026 19:59

ci: fix zizmor audit findings

a2891f1

ci: address cache-poisoning findings with package-manager-cache: false

9aa51f9

chore: fixup

4fa25ca

dsanders11 marked this pull request as ready for review April 2, 2026 22:13

dsanders11 requested a review from a team as a code owner April 2, 2026 22:13

dsanders11 approved these changes Apr 2, 2026

View reviewed changes

dsanders11 added this pull request to the merge queue Apr 3, 2026

Merged via the queue into main with commit f126250 Apr 3, 2026
12 checks passed

dsanders11 deleted the ci/zizmor-audit-fixes branch April 3, 2026 00:32

Provide feedback