fix(ci): resolve all zizmor security scanning alerts#368
Merged
Conversation
Addresses all 64 alerts across 4 rules reported in GitHub code scanning:
- dangerous-triggers (1 error): Add trusted-source guard to
build-performance-monitor.yml workflow_run trigger — only runs when
the triggering workflow originated from the same repository (not a
fork), preventing privilege escalation via untrusted code.
- artipacked (2 warnings): Add persist-credentials: false to checkout
steps in release.yml and dependency-updates.yml so Git credentials
are not stored in .git/config after checkout.
- excessive-permissions (16 warnings): Add permissions: contents: read
at workflow level in experimental-rust.yml so all 16 jobs inherit
read-only permissions instead of the default write.
- template-injection (45 notes): Move all inline ${{ }} expressions
from shell script bodies to env: blocks in tests.yml,
build-performance-monitor.yml, and dependency-updates.yml.
github-script usages updated to read from process.env instead of
inline interpolation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Build Performance Report⏱️ Build Time: 12 minutes 📊 Comparison with main branch:
✅ Within acceptable range This is an automated performance check |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 64 alerts reported in GitHub code scanning (zizmor).
dangerous-triggers (1 error)
build-performance-monitor.yml: Added trusted-source guard to theworkflow_runjob condition — requiresgithub.event.workflow_run.head_repository.full_name == github.repository. Prevents privilege escalation when a fork's PR triggers a workflow that runs with repo permissions.artipacked (2 warnings)
release.yml: Addedpersist-credentials: falseto checkout step.dependency-updates.yml: Addedpersist-credentials: falseto checkout step.excessive-permissions (16 warnings)
experimental-rust.yml: Addedpermissions: contents: readat workflow level. All 16 jobs now inherit read-only access instead of the defaultcontents: write.template-injection (45 notes)
Moved all inline
${{ }}expressions out of shell script bodies and intoenv:blocks. Variables are then referenced as shell/env vars ($VAR,$env:VARin PowerShell,process.env.VARin github-script). Affected files:tests.yml:detect-changes/flagsstep,prepare/Restore dependenciesstep,prepare/Build projectsstep,test-summary/Check test resultsstep (20 expressions total).build-performance-monitor.yml:Calculate build metricsstep (5),Create job summarystep (5),Comment PR with build timegithub-script (4),Alert on regressiongithub-script (3).dependency-updates.yml:Summarystep (1).Test plan
build-performance-monitor.ymlcorrectly gates on trusted repos🤖 Generated with Claude Code