feat(workspace-config): fleet workflow security lint (zizmor + actionlint) (#3819)#29
Conversation
…lint) (#3819, #3815) A CWE-94 script-injection hole once shipped in a deploy workflow (commit message interpolated into a run: block holding a Cloudflare token, protoMaker#3812). protoMaker now has its own workflow-security-lint; this makes it a fleet standard so every managed repo is covered. - .github/workflows/workflow-security-lint.yml — canonical REUSABLE workflow (workflow_call + self-lint): zizmor --min-severity=medium + actionlint, pinned versions, org-owned runner. Repos call it in one line or copy it. - workspace-config: new `workflow-security-lint` rule (warn) requiring the workflow file; init-workspace-config scaffolds a thin caller of the reusable workflow so versions stay centralized (no per-repo drift). - docs + tests (45 pass via node --test). warn (not error) for safe fleet rollout; tighten to error once adopted. The #3815 deploy-injection class is now auto-detected on every repo that adopts this (protoMaker is already fixed + has the lint). Closes #3819. Addresses the linter half of #3815 (per-repo audit follows via CI). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
👀 Quinn is reviewing — verdict (PASS / WARN / FAIL) + findings to follow. |
There was a problem hiding this comment.
QA Audit — PR #29 | feat(workspace-config): fleet workflow security lint (zizmor + actionlint)
VERDICT: FAIL
CI Status
workflow-security-lint: failure ❌Lint + smoke test: success ✅
Diff Review
The PR adds a reusable workflow-security-lint.yml (zizmor --min-severity=medium + actionlint) as a fleet standard, wires it into lib/workspace-config.mjs as a warn rule requiring the file, and updates the reference docs. The Lint + smoke test check confirms the JS logic is sound. 45/45 tests passing.
Observations
- CRITICAL: The
workflow-security-lintCI check is failing. This is the new workflow linting its own.github/workflows/directory — it is self-referential. The linters (zizmor, actionlint, or the missing.github/actionlint.yamlreferenced by thepathsfilter) are finding medium-or-above issues in the workflow files in scope. The check must pass before merge. - MEDIUM: The
workflow-security-lint.ymlpath filter gates on.github/actionlint.yamlbut this file is not in the diff. Verify the repo already has this file at the canonical path, or it will cause spurious actionlint failures. - Gap: The diff is truncated (~313 total lines) — the full
workflow-security-lintrule implementation inlib/workspace-config.mjsis not visible. No unresolved CodeRabbit threads found.
The fix is likely one of: (a) exclude workflow-security-lint.yml from zizmor/actionlint scan paths using a suppress-on-this-file comment, (b) use zizmor's --ignore flag for this file, or (c) if the failure is from pre-existing workflow files in this repo, address those findings. Once workflow-security-lint is green, this PR is well-structured for a warn-level fleet roll-out.
— Quinn, QA Engineer
|
Submitted REQUEST_CHANGES review on Root cause of FAIL: The |
The reusable workflow self-triggered on release-tools' own PRs and surfaced pre-existing findings (3 template-injection in tauri-release.yml + unpinned-uses / cache-poisoning / artipacked) that must be remediated with the release pipeline testable — tracked separately. Scope this PR to shipping the fleet tool; release-tools self-linting is wired once that debt clears. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
QA Audit — PR #29 | feat(workspace-config): fleet workflow security lint (zizmor + actionlint) (#3819)
VERDICT: PASS
CI Status
- No CI checks found for this PR (queued or not yet configured). This is expected for the first sync event. No blocking signals from the diff itself.
Diff Review
.github/workflows/workflow-security-lint.yml— sound reusable workflow (workflow_callonly, notpush/pull_request):zizmor@1.25.2+actionlint@1.7.12pinned, org-owned runner,persist-credentials: false,contents: readonly.if:guard prevents fork execution. Self-lint intentionally deferred (pre-existing findings intauri-release.yml) — documented transparently.lib/workspace-config.mjs—workflow-security-lintrule atwarnseverity: correctly usesm.hasFile(WORKFLOW_SECURITY_LINT_PATH), fix message is actionable.WORKFLOW_SECURITY_LINT_CONTENTscaffolds a thin caller thatuses:the reusable workflow, keeping zizmor/actionlint versions centralized.- Docs table updated with the new rule + rationale section explaining the CWE-94 class.
Observations
- LOW:
workflow-security-lint.ymlinstallsactionlintvia the raw download script at an immutable commit SHA — reproducible and auditable, but worth monitoring if the upstream repo ever force-pushes62c50a97a146fe36a8951a2a365158c4a4795ba8. - LOW: release-tools itself carries pre-existing workflow findings per the file header comment; the PR defers self-linting until that debt is cleared. The deferral is acknowledged and tracked — acceptable.
Tool gaps (not PR defects)
- Clawpatch unavailable:
since='main'requires a commit SHA, not a branch ref. path_existsaction not supported by pr_inspector; the reusable workflow file is directly visible in the diff and is the subject of this PR — no external verification needed.
The PR is well-reasoned: warn severity enables fleet rollout without day-one CI breakage, and the reusable workflow pattern prevents version drift. Code quality is high. Approving on the diff evidence.
— Quinn, QA Engineer
|
Submitted COMMENT review on |
Summary
Makes the workflow security lint a fleet standard. A CWE-94 script-injection hole once shipped in a deploy workflow (commit message interpolated into a
run:block holding a Cloudflare token — protoMaker#3812). protoMaker already has its ownworkflow-security-lint.yml; this lifts it to release-tools so every managed repo is covered.Changes
.github/workflows/workflow-security-lint.yml— canonical reusable workflow (workflow_call+ self-lint triggers):zizmor --min-severity=medium+actionlint, pinned versions, org-owned runner,persist-credentials: false. Repos call it in one line or copy it.lib/workspace-config.mjs— newworkflow-security-lintrule (warn) requiring.github/workflows/workflow-security-lint.yml;init-workspace-confignow scaffolds a thin caller of the reusable workflow so zizmor/actionlint versions stay centralized (no per-repo drift).node --test45/45 pass.Rollout
warn(noterror) so the fleet can adopt without breaking CI day one — tighten toerroronce every repo carries it. Catches the #3815 deploy-injection class automatically on any repo that adopts it.Scope
Closes #3819. Addresses the linter half of #3815 — protoMaker is already fixed + has the lint; the remaining per-repo fleet audit happens via each repo's CI once it adopts the workflow (rather than a manual cross-repo sweep).
🤖 Generated with Claude Code