Skip to content

Harden release workflow: job-level permissions, environment, concurrency#51

Merged
vdemeester merged 1 commit intomainfrom
zizmor-release-hardening
Mar 30, 2026
Merged

Harden release workflow: job-level permissions, environment, concurrency#51
vdemeester merged 1 commit intomainfrom
zizmor-release-hardening

Conversation

@vdemeester
Copy link
Copy Markdown
Owner

@vdemeester vdemeester commented Mar 30, 2026

Follow-up to #49 — fixes remaining zizmor --pedantic findings on the release workflow.

Changes:

  • Permissions: Move contents: write from workflow-level to job-level (least privilege principle)
  • Environment: Add environment: release — enables deployment protection rules (required reviewers, wait timers, deployment logs)
  • Concurrency: Add concurrency group to prevent duplicate release runs on rapid re-tags
  • Documentation: Inline comment explaining why write permission is needed

After:

$ zizmor --pedantic .
No findings to report. Good job!

Note: You'll want to create the release environment in GitHub repo settings → Environments. Optional: add protection rules like required reviewers for extra safety on releases.

@vdemeester
Harden release workflow: job-level permissions, environment, concurrency
7489f69 
- Move contents: write from workflow-level to job-level (least privilege)
- Add 'release' environment for deployment protection rules
- Add concurrency limits to prevent duplicate release runs
- Add inline comment documenting why write permission is needed

Passes zizmor --pedantic with zero findings.
@vdemeester vdemeester merged commit 10acb18 into main Mar 30, 2026
3 checks passed
@vdemeester vdemeester deleted the zizmor-release-hardening branch March 30, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vdemeester