Skip to content

ci: security: Cherry-pick all Zizmor fixes from upstream#416

Merged
sprt merged 17 commits into
msft-mainfrom
sprt/zizmor-cherrypick
Oct 21, 2025
Merged

ci: security: Cherry-pick all Zizmor fixes from upstream#416
sprt merged 17 commits into
msft-mainfrom
sprt/zizmor-cherrypick

Conversation

@sprt
Copy link
Copy Markdown

@sprt sprt commented Oct 17, 2025
edited
Loading

@sprt sprt requested review from a team as code owners October 17, 2025 17:42
@sprt sprt added the upstream/merged PRs that have been merged upstream label Oct 17, 2025
@sprt sprt marked this pull request as draft October 17, 2025 17:45
stevenhorsman and others added 6 commits October 17, 2025 12:55
@stevenhorsman @sprt
workflows: Tighten up workflow permissions
6e73ff9 
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @sprt
workflows: Set top-level permissions to empty
0adedaa 
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@sprt
gha: Run Zizmor without Advanced Security
09f89c0 
This does not change the security of the analysis, this is just to work
around zizmorcore/zizmor-action#43.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
gha: Set Zizmor check as non-required
7e7824f 
As a consequence of moving away from Advanced Security for Zizmor, it now
checks the entire codebase and will error out on this PR and future.

To be reverted once we address all Zizmor findings in a future PR.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
gha: zizmor: fix "workflow or action definition without a name" error
9085aeb 
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
ci: zizmor: Disable undocumented-permissions audit
61efd38 
There are 62 such warnings and addressing them would take quite a bit of
time so just disable them for now.

help[undocumented-permissions]: permissions without explanatory comments
  --> ./.github/workflows/release.yaml:71:7
   |
71 |       packages: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
72 |       id-token: write
   |       ^^^^^^^^^^^^^^^ needs an explanatory comment
73 |       attestations: write
   |       ^^^^^^^^^^^^^^^^^^^ needs an explanatory comment
   |
   = note: audit confidence → High

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt sprt force-pushed the sprt/zizmor-cherrypick branch from 37bed37 to 4819b28 Compare October 17, 2025 17:57
sprt added 3 commits October 17, 2025 13:22
@sprt
ci: zizmor: Fix all template-injection alerts
8077d81 
Fix all instances of template injection by using environment variables as
recommended by Zizmor, instead of directly injecting values into the
commands.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
ci: zizmor: Reestablish as required test
8d205af 
We can re-require this now that we've addressed all the issues.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
ci: actionlint: Address issues and set as required
c9eac7a 
Address issues just introduced and set actionlint as a required by removing
the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt sprt force-pushed the sprt/zizmor-cherrypick branch from b315483 to 7576ed5 Compare October 17, 2025 18:22
stevenhorsman and others added 7 commits October 17, 2025 13:31
@stevenhorsman @sprt
ci: Make install_go.sh more portable
caf4a2f 
`${kernel_name,,}`  is bash 4.0 and not posix compliant, so doesn't
work on macos, so switch to `tr` which is more widely
supported

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @sprt
build: Add darwin support to arch_to_golang
aeaac2b 
Avoid the error `ERROR: unsupported architecture: arm64`
in install_go.sh on darwin

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @sprt
workflows: Switch workflows to use install_go.sh
19e0c8c 
Update the two workflows that used setup-go to
instead call `install_go.sh` script, which handles
installing the correct version of golang

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @sprt
versions: Bump golang to 1.24.6
4777096 
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman @sprt
runtime: Fix non constant Errorf formatting
7d69415 
As part of the go 1.24.6 bump there are errors about the incorrect
use of a errorf, so switch to the non-formatting version, or add
the format string as appropriate

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@sprt
gha: Fix docs-url-alive-check workflow
552b0b1 
The Go installation step was broken because the checkout action was
checking out the code in a subdirectory:

https://github.com/kata-containers/kata-containers/actions/runs/18265538456/job/51999316919

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
gha: Add workflow_dispatch trigger to docs-url-alive-check
e4109b2 
We can't test this PR because the workflow needs this trigger, so adding
this will allow testing future PRs.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt sprt force-pushed the sprt/zizmor-cherrypick branch from 7576ed5 to e4109b2 Compare October 17, 2025 18:32
@sprt
tests: Install Go from reliable mirror
cffab0a 
Downloading Go from storage.googleapis.com fails intermittently with a 403
(see error below) so we switch to go.dev as referenced at
https://go.dev/dl/.

/tmp/install-go-tmp.Rw5Q4thEWr ~/work/kata-containers/kata-containers
/usr/bin/go
[install_go.sh:85] INFO: removing go version go1.24.9 linux/amd64
[install_go.sh:94] INFO: Download go version 1.24.6
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   298  100   298    0     0   2610      0 --:--:-- --:--:-- --:--:--  2614
[install_go.sh:97] INFO: Install go

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
[install_go.sh:99] ERROR: sudo tar -C /usr/local/ -xzf go1.24.6.linux-amd64.tar.gz

https://github.com/kata-containers/kata-containers/actions/runs/18602801597/job/53045072109?pr=11947#step:5:17

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt
Copy link
Copy Markdown
Author

sprt commented Oct 17, 2025
edited
Loading

Post-merge todo: update zizmor and actionlint as required checks in repo settings.

@sprt sprt marked this pull request as ready for review October 17, 2025 19:46
@sprt sprt merged commit ed0b643 into msft-main Oct 21, 2025
79 of 100 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danmihai1 danmihai1 danmihai1 approved these changes

Assignees

No one assigned

Labels

upstream/merged PRs that have been merged upstream

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sprt @danmihai1 @stevenhorsman