Skip to content

fix: resolve zizmor excessive-permissions + artipacked (INFRA-869)#41

Open
Rumbles wants to merge 1 commit into
masterfrom
INFRA-869/zizmor-actions-security-fixes
Open

fix: resolve zizmor excessive-permissions + artipacked (INFRA-869)#41
Rumbles wants to merge 1 commit into
masterfrom
INFRA-869/zizmor-actions-security-fixes

Conversation

@Rumbles
Copy link
Copy Markdown
Contributor

@Rumbles Rumbles commented Jun 2, 2026

What

Thin mechanical pass for action-processor-integrations: least-privilege permissions: contents: read on ci + release-sonatype (Sonatype publishing uses PGP/Sonatype creds, not GITHUB_TOKEN); persist-credentials: false on checkouts (no git pushes).

Deliberately deferred (INFRA-869 cross-cutting decision pending): unpinned-uses — the bulk of this repo's findings — awaiting the org pin-vs-SHA vs wrap-in-github-actions call.

Verified with org config zizmor --config zizmor.yml: 0 findings outside the deferred set.

INFRA-869

🤖 Generated with Claude Code

@Rumbles
fix: resolve zizmor excessive-permissions + artipacked (INFRA-869)
b398c2f 
least-privilege permissions: contents: read on ci + release-sonatype (Sonatype publishing uses PGP/Sonatype creds, not GITHUB_TOKEN); persist-credentials: false on checkouts (no git pushes).

Deferred (INFRA-869 cross-cutting decisions): unpinned-uses (pin-vs-wrap pending). Verified with the org zizmor config: 0 findings outside the deferred set. INFRA-869
@Rumbles Rumbles requested a review from a team as a code owner June 2, 2026 14:14
@Rumbles Rumbles enabled auto-merge (rebase) June 2, 2026 14:15
@Rumbles Rumbles mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rumbles