Skip to content

fix: address all zizmor security findings in GitHub Actions workflows #969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 5 commits into
base: copilot/chore-harden-github-workflows
Choose a base branch
from
+28 −4
Open

fix: address all zizmor security findings in GitHub Actions workflows #969

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f279d21
Initial plan
Copilot Apr 25, 2026
5b2cb0b
fix: address all zizmor security findings in GitHub Actions workflows
Copilot Apr 25, 2026
1a42e8e
fix: revert persist-credentials in release checkout (untested combina…
Copilot Apr 25, 2026
f959774
fix: pin actions/create-github-app-token to commit hash
Copilot Apr 25, 2026
1a8dae3
fix: add persist-credentials: false to release job checkout
Copilot Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ updates:
schedule:
interval: 'weekly'
day: 'saturday'
cooldown:
default-days: 7
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck Apr 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the github-actions entry — referenced #965 in the PR description.

allow:
- dependency-type: 'all'
versioning-strategy: 'auto'
Expand All @@ -21,6 +23,8 @@ updates:
schedule:
interval: 'weekly'
day: 'saturday'
cooldown:
default-days: 7
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck Apr 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Referenced #965 in the PR description. The cooldown changes here are the minimal fix zizmor requires (any cooldown configured); the choice of exact period can be fine-tuned in #965.

labels: [ 'dependencies' ]
commit-message:
## prefix maximum string length of 15
Expand Down
14 changes: 14 additions & 0 deletions .github/workflows/python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand All @@ -58,6 +60,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand All @@ -82,6 +86,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand All @@ -106,6 +112,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand Down Expand Up @@ -142,6 +150,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand Down Expand Up @@ -192,6 +202,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Create reports directory
run: mkdir ${{ env.REPORTS_DIR }}
- name: Setup Python Environment
Expand Down Expand Up @@ -270,6 +282,8 @@ jobs:
- name: Checkout
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@
- name: Checkout code
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs manual testing - need to issue a test-release and see if this is sufficient

- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand All @@ -71,6 +73,8 @@
- name: Checkout code
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup Python Environment
# see https://github.com/actions/setup-python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
Expand Down Expand Up @@ -106,24 +110,26 @@
- name: Generate GitHub App Token
id: release-bot-token
# see https://github.com/actions/create-github-app-token
uses: actions/create-github-app-token@v3

Check failure on line 113 in .github/workflows/release.yml

View workflow job for this annotation

GitHub Actions / zizmor

unpinned-uses 

release.yml:113: unpinned action reference: action is not pinned to a hash (required by blanket policy)
with:
# see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases
app-id: 3335294
private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }}
- name: Get GitHub App User ID
id: release-bot-user-id
run: |
set -xeu
echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
env:
APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }}
GH_TOKEN: ${{ steps.release-bot-token.outputs.token }}
run: |
set -xeu
echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"

- name: Checkout code
# see https://github.com/actions/checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs testing

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted persist-credentials: false from the release job checkout in 1a42e8e. The quicktest and deptry checkouts don't have a token parameter and don't perform subsequent git pushes, so those remain. The release job uses python-semantic-release which receives its own github_token for git operations — that combination can be validated in a follow-up once the release pipeline is confirmed to work correctly with or without this flag.

token: ${{ steps.release-bot-token.outputs.token }}

- name: Setup python
Expand Down
Loading