Skip to content

ci(security): resolve zizmor alerts in workflows#24

Merged
WomB0ComB0 merged 1 commit into
mainfrom
ci/zizmor-workflow-hardening
Jun 21, 2026
Merged

ci(security): resolve zizmor alerts in workflows#24
WomB0ComB0 merged 1 commit into
mainfrom
ci/zizmor-workflow-hardening

Conversation

@WomB0ComB0

@WomB0ComB0 WomB0ComB0 commented Jun 21, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Resolves the five open zizmor code-scanning alerts on main.

Changes

Alert File Fix
#4 unpinned action reference (unpinned-uses) security.yml Pin reusable security-scan.yml to commit SHA 94363a6 (was @main)
#5 secrets unconditionally inherited (secrets-inherit) security.yml Replace secrets: inherit with named forwards (SEMGREP_APP_TOKEN, SNYK_TOKEN) — the only secrets the reusable workflow declares
#1 credential persistence (artipacked) hooks-sync.yml:36 persist-credentials: false on checkout
#2 credential persistence (artipacked) hooks-sync.yml (smoke) persist-credentials: false on checkout
#3 credential persistence (artipacked) hooks-tests.yml persist-credentials: false on checkout

Why it's safe

  • None of these jobs push back to the repo — they only checkout, lint, and run tests — so dropping the persisted GITHUB_TOKEN from .git/config closes the artifact-leak vector without breaking anything.
  • The reusable security-scan.yml explicitly declares SEMGREP_APP_TOKEN/SNYK_TOKEN so callers can forward by name instead of inheriting all secrets. This repo enables semgrep, so SEMGREP_APP_TOKEN is the one used; SNYK_TOKEN is forwarded for future use.

Test plan

  • security workflow re-scans on this PR and clears all five alerts
  • hooks-sync and hooks-tests workflows still pass with persist-credentials: false

Summary by CodeRabbit

  • Chores
    • Enhanced security practices in CI/CD workflows by restricting credential persistence and implementing explicit secret management controls across deployment pipelines.

@WomB0ComB0
ci(security): resolve zizmor alerts in workflows
c0f41d6 
- security.yml: pin reusable security-scan to commit SHA (unpinned-uses)
  and forward named secrets instead of `secrets: inherit` (secrets-inherit)
- hooks-sync.yml, hooks-tests.yml: set persist-credentials: false on
  checkout steps to avoid credential persistence (artipacked)
@gemini-code-assist

gemini-code-assist Bot commented Jun 21, 2026

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1d89d753-eda2-40b8-a781-3d61833cb5db

📥 Commits

Reviewing files that changed from the base of the PR and between bc5c264 and c0f41d6.

📒 Files selected for processing (3)
  • .github/workflows/hooks-sync.yml
  • .github/workflows/hooks-tests.yml
  • .github/workflows/security.yml
📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files are updated to harden CI security: persist-credentials: false is added to actions/checkout steps in hooks-sync.yml (lint and smoke jobs) and hooks-tests.yml. In security.yml, the reusable workflow ref is changed from main to a pinned commit SHA and secrets: inherit is replaced with an explicit SEMGREP_APP_TOKEN/SNYK_TOKEN allowlist.

Changes

GitHub Actions CI Security Hardening

Layer / File(s) Summary
Disable credential persistence on checkout steps
.github/workflows/hooks-sync.yml, .github/workflows/hooks-tests.yml		 Adds persist-credentials: false to actions/checkout steps in the lint job, smoke job, and the hooks-tests job to prevent checkout credentials from being persisted after clone.
Pin security scan ref and restrict secret forwarding
.github/workflows/security.yml		 Replaces the main ref on the reusable security-scan workflow call with a pinned commit SHA, and changes secrets: inherit to an explicit allowlist of only SEMGREP_APP_TOKEN and SNYK_TOKEN.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A rabbit hops through workflow lanes,
Credentials dropped like autumn rains,
No secrets shared beyond what's due,
A SHA pinned so firm and true.
The warren's safe — no leaks in sight,
Our CI burrows, locked up tight! 🔒

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the main objective: resolving zizmor security alerts in GitHub workflows by pinning actions and managing credential/secret persistence.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/zizmor-workflow-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@WomB0ComB0 WomB0ComB0 merged commit bf2d801 into main Jun 21, 2026
17 of 18 checks passed
@WomB0ComB0 WomB0ComB0 deleted the ci/zizmor-workflow-hardening branch June 21, 2026 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WomB0ComB0