Skip to content

ci: harden GitHub Actions workflows #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeremy merged 10 commits into from
Mar 20, 2026
Merged

ci: harden GitHub Actions workflows #350

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
cd1d816
Pin actions to SHA hashes with version comments
flavorjones Mar 19, 2026
2953c72
Fix high-severity zizmor findings
flavorjones Mar 19, 2026
5569c9f
Pin actions and add persist-credentials: false via pinact
flavorjones Mar 19, 2026
8a54edc
Address medium zizmor findings: excessive-permissions, secrets-outsid…
flavorjones Mar 19, 2026
f906897
Address low zizmor findings: dependabot-cooldown
flavorjones Mar 19, 2026
8bbdebf
Add zizmor CI job to test workflow
flavorjones Mar 19, 2026
c3281ea
Harden GitHub Actions: set workflow-level permissions to deny-all
flavorjones Mar 19, 2026
7f04353
Fix shellcheck SC2086: quote variable expansions in workflow scripts
flavorjones Mar 19, 2026
69207e2
Fix ref-version-mismatch: update create-github-app-token comment to v…
flavorjones Mar 19, 2026
538e146
Address PR review: tighten Dependabot gate, normalize permissions, ad…
jeremy Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ updates:
patterns:
- "*"
cooldown:
default-days: 2
default-days: 10
semver-major-days: 7
semver-minor-days: 3
semver-patch-days: 2
Expand All @@ -38,6 +38,6 @@ updates:
patterns:
- "*"
cooldown:
default-days: 2
default-days: 10
commit-message:
prefix: "ci"
2 changes: 1 addition & 1 deletion .github/workflows/ai-labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Classify PR

on:
pull_request_target:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- required for write access to PRs from forks; workflow only calls trusted reusable workflows, no PR code is checked out or executed
types: [opened, synchronize, reopened]

concurrency:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/dependabot-auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ permissions:
jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
if: github.event.pull_request.user.login == 'dependabot[bot]'
Copy link
Copy Markdown
Member

@jeremy jeremy Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 538e146#diff-2fe48d1021006468ac63263583b5db615dd5e63a39ebff862cc4e2f06b59caa1R13

steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Label PRs

on:
pull_request_target:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- required for write access to PRs from forks; workflow only runs trusted actions/labeler action, no PR code is checked out or executed
types: [opened, synchronize, reopened]

permissions:
Expand Down
30 changes: 18 additions & 12 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,24 +33,25 @@ jobs:
env:
BASECAMP_NO_KEYRING: "1"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
Comment thread
flavorjones marked this conversation as resolved.

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to the cache used by tag-push workflows
with:
go-version-file: 'go.mod'

- name: Install golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: v2.9.0
install-only: true

- name: Cache BATS
id: cache-bats
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to the cache used by tag-push workflows
with:
path: /usr/local/libexec/bats-core
key: bats-1.11.0
Expand Down Expand Up @@ -112,13 +113,14 @@ jobs:
models: read
attestations: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Generate token for Homebrew tap
id: sdk-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
Expand All @@ -127,7 +129,7 @@ jobs:
permission-contents: write

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to the cache used by tag-push workflows
with:
go-version-file: 'go.mod'

Expand All @@ -140,7 +142,7 @@ jobs:
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0

- name: Install Syft
uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1

- name: Build changelog context
run: |
Expand Down Expand Up @@ -226,7 +228,7 @@ jobs:
MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}

- name: Install GoReleaser
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
distribution: goreleaser
version: 'v2.14.1'
Expand Down Expand Up @@ -278,10 +280,12 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install Nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 # v31
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 # v31.10.1

- name: Build and verify
run: |
Expand All @@ -303,7 +307,9 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Generate token for skills repo
id: skills-token
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
id-token: write
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

Comment thread
flavorjones marked this conversation as resolved.
Expand All @@ -33,7 +33,7 @@ jobs:
path: results.sarif
retention-days: 5

- uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
- uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
continue-on-error: true
with:
sarif_file: results.sarif
53 changes: 36 additions & 17 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,19 @@ on:
workflow_call: # Allow release.yml to invoke the full security suite
workflow_dispatch:

permissions:
contents: read
security-events: write
pull-requests: read
permissions: {}

jobs:
secrets:
name: Secret Scanning
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Install gitleaks
run: |
Expand All @@ -36,9 +36,14 @@ jobs:
trivy:
name: Trivy Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run Trivy vulnerability scanner (filesystem)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
Expand All @@ -52,7 +57,7 @@ jobs:
output: 'trivy-results.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
Expand All @@ -61,12 +66,17 @@ jobs:
gosec:
name: Go Security Checker
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: 'go.mod'

Expand All @@ -76,7 +86,7 @@ jobs:
gosec -tags dev -no-fail -fmt sarif -out gosec-results.sarif ./...

- name: Upload gosec scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
if: always()
continue-on-error: true # Requires GitHub Advanced Security
with:
Expand All @@ -89,23 +99,32 @@ jobs:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
continue-on-error: true # Requires GitHub Advanced Security (not available on all plans)
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: 'go.mod'

- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: go
build-mode: manual
Expand All @@ -117,14 +136,14 @@ jobs:
run: go build -tags dev ./...

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
category: codeql-go
upload: never
output: sarif-results

- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
continue-on-error: true # Requires GitHub Advanced Security
with:
sarif_file: sarif-results
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sensitive-change-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Sensitive Change Gate

on:
pull_request_target:
pull_request_target: # zizmor: ignore[dangerous-triggers] -- required for write access to PRs from forks; workflow only calls a trusted reusable workflow, no PR code is checked out or executed
types: [opened, synchronize, reopened]

permissions:
Expand Down
Loading
Loading