Skip to content

ci: fix zizmor issues [security]#64

Open
joshuasing wants to merge 2 commits into
mainfrom
joshua/zizmor-1
Open

ci: fix zizmor issues [security]#64
joshuasing wants to merge 2 commits into
mainfrom
joshua/zizmor-1

Conversation

@joshuasing

Copy link
Copy Markdown
Contributor

Fix issues reported by zizmor (https://zizmor.sh) for actions-lint

  • Pin pnpm version (and update to 11.8.0)
  • Add root-level permissions block
  • Add persist-credentials: false to actions/checkout

@joshuasing joshuasing requested review from a team as code owners June 19, 2026 18:23
@joshuasing joshuasing added the type: security This is a security-related issue label Jun 19, 2026
AL-CT
AL-CT previously approved these changes Jun 22, 2026
Comment thread .github/workflows/actions-lint.yml
jcvernaleo
jcvernaleo previously approved these changes Jun 29, 2026

@jcvernaleo jcvernaleo left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@joshuasing joshuasing dismissed stale reviews from ClaytonNorthey92, jcvernaleo, and AL-CT via 7c5966c June 29, 2026 17:16

@jcvernaleo jcvernaleo left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security hardening findings from zizmor for the actions-lint GitHub Actions workflow by tightening default token behavior and pinning tool versions.

Changes:

  • Added a workflow-level permissions block to reduce default GITHUB_TOKEN scope.
  • Pinned pnpm to an exact version (11.8.0) with a Renovate hint for automated updates.
  • Disabled credential persistence in actions/checkout and switched the runner label to ubuntu-latest.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/actions-lint.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type: security This is a security-related issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants