Skip to content

ci: add zizmor static analysis and harden existing workflows#39

Merged
kibertoad merged 2 commits into
mainfrom
claude/add-zizmor-ci-checks-sBoT5
May 13, 2026
Merged

ci: add zizmor static analysis and harden existing workflows#39
kibertoad merged 2 commits into
mainfrom
claude/add-zizmor-ci-checks-sBoT5

Conversation

@kibertoad
Copy link
Copy Markdown
Owner

@kibertoad kibertoad commented May 13, 2026

Summary

  • Adds a Zizmor workflow (.github/workflows/zizmor.yml) that runs static analysis on GitHub Actions whenever workflow definitions change, and uploads SARIF results to the repo's Security tab.
  • Addresses every finding Zizmor reports against the existing workflows so the new check lands green from the first PR.

What changed in existing workflows

Audit Fix applied
unpinned-uses All action references (actions/*, github/*, astral-sh/*, dorny/paths-filter, fastify/github-action-merge-dependabot) are now pinned to commit SHAs with version comments, matching the convention already used for tj-actions/changed-files.
template-injection ${{ inputs.package_name }} (in ci.common.yml) and ${{ steps.filter.outputs.changes }} (in publish.yml) no longer expand directly into shell run: blocks — they're routed through env: and read as "$VAR". Same treatment for ${{ matrix.shell }} in ci.yml.
excessive-permissions Workflow-level permissions: {} plus job-level minimum permissions (contents: read, pull-requests: read, etc.) added to every workflow that was relying on the default token permissions.
artipacked persist-credentials: false added to all actions/checkout invocations except the publish.yml release job, which intentionally keeps credentials so it can push the version-bump commit and tags.

Verification

Local run with the version Zizmor will use in CI:

$ zizmor .github/workflows/
No findings to report. Good job!

Test plan

  • CI's new Zizmor job passes
  • actions/checkout, actions/setup-node, actions/upload-artifact SHAs resolve to the documented version tags
  • lint, examples, examples-e2e, catalog-e2e, and build jobs still pass with the new permissions: blocks (read-only is sufficient for npm install + build + test)
  • publish.yml release path still pushes commits/tags (its checkout retains persist-credentials: true)

Generated by Claude Code

@claude
ci: add zizmor static analysis and harden existing workflows
1062351 
Adds a Zizmor workflow that runs on PRs touching workflow definitions
and uploads SARIF results to the GitHub Security tab. Addresses every
finding reported on the existing workflows so the new check lands green:

- Pin all third-party and first-party action references to commit
  SHAs (with version comments) — eliminates `unpinned-uses` errors
- Move templated `${{ inputs.* }}` and `${{ steps.*.outputs.* }}`
  expansions in `run:` blocks behind env vars — eliminates
  `template-injection` errors in ci.common.yml and publish.yml
- Add workflow- and job-level `permissions:` blocks scoped to the
  minimum each job needs — eliminates `excessive-permissions` warnings
- Add `persist-credentials: false` to checkouts that don't push back
  to the repo — eliminates `artipacked` findings (the publish job's
  release checkout intentionally keeps credentials so it can push
  version bumps and tags)
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 13, 2026
edited
Loading

Warning

Rate limit exceeded

@kibertoad has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 49 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fb3c6aa8-9082-4ed7-a5f3-eee1a7e16a06

📥 Commits

Reviewing files that changed from the base of the PR and between 56c9e16 and 884c851.

📒 Files selected for processing (5)
  • .github/workflows/ci.common.yml
  • .github/workflows/ci.yml
  • .github/workflows/ensure-labels.yml
  • .github/workflows/publish.yml
  • .github/workflows/zizmor.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/add-zizmor-ci-checks-sBoT5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@claude
ci(zizmor): pin codeql-action to commit SHA, not tag-object SHA
884c851 
The previous SHA pointed at v3.32.0's annotated tag object, not the
commit it points to. zizmor's impostor-commit audit couldn't resolve
it via the GitHub API and emitted a fast-path warning. Use the peeled
commit SHA so the impostor check resolves cleanly.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 13, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@kibertoad kibertoad merged commit a97bfd7 into main May 13, 2026
4 checks passed
@kibertoad kibertoad deleted the claude/add-zizmor-ci-checks-sBoT5 branch May 13, 2026 23:09
kibertoad added a commit that referenced this pull request May 15, 2026
@kibertoad @claude
ci: grant build job contents:read and detect packages/journeys changes
351e8d0 
Two issues with the CI workflow surfaced on this PR:

1. The reusable `ci.common.yml` declares `permissions: contents: read`
   on its build job, but the calling `build` job in `ci.yml` had no
   `permissions:` block. Combined with the workflow-level
   `permissions: {}` added in #39, the caller could not grant the
   permissions the reusable workflow needs, so every CI run since #39
   has been a `startup_failure` with zero jobs scheduled. Grant
   `contents: read` on the caller job so the reusable workflow can run.

2. `PATH_TO_NAME` in `changed-files-job` enumerated every workspace
   package except `packages/journeys`, so PRs touching only journeys
   produced an empty `packages` output and skipped the build matrix
   entirely. Add the missing entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip-release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kibertoad @github-advanced-security @claude