Skip to content

security: apply zizmor GitHub Actions security improvements#88

Merged
ocean merged 4 commits intodevfrom
claude/zizmor-security-improvements-TYtjO
Mar 20, 2026
Merged

security: apply zizmor GitHub Actions security improvements#88
ocean merged 4 commits intodevfrom
claude/zizmor-security-improvements-TYtjO

Conversation

@ocean
Copy link
Copy Markdown
Owner

@ocean ocean commented Mar 15, 2026

Ran zizmor v1.23.1 against all workflow files and resolved all high-priority findings (reduced from 30 high to 0 high):

  • Pin all action references to commit SHAs to prevent supply-chain attacks:
  • Add persist-credentials: false to all checkout steps (artipacked)
  • Remove overly broad pull-requests: write from workflow-level permissions
  • Fix template injection in all-checks-pass job by passing needs results via env vars rather than inline ${{ }} expressions
  • Move Turso secrets from job-level env to step-level env to reduce exposure surface (secrets-outside-env)
  • Replace dtolnay/rust-toolchain action with direct rustup script calls as recommended (superfluous-actions)
  • Replace softprops/action-gh-release action with gh release CLI call

Remaining findings: 4 medium secrets-outside-env warnings for Turso secrets, which require configuring a GitHub Deployment Environment in repo settings.

https://claude.ai/code/session_01EUdjWCLtSWQYY5j4yc8Qb5

@claude
security: apply zizmor GitHub Actions security improvements
5f2f172 
Ran zizmor v1.23.1 against all workflow files and resolved all high-priority
findings (reduced from 30 high to 0 high):

- Pin all action references to commit SHAs to prevent supply-chain attacks:
  - actions/checkout@de0fac2e (v6.0.2)
  - actions/cache@cdf6c1fa (v5)
  - actions/upload-artifact@bbbca2dd (v7)
  - erlef/setup-beam@ee09b1e5 (v1)
  - philss/rustler-precompiled-action@853ac56 (v1.1.4)
- Add persist-credentials: false to all checkout steps (artipacked)
- Remove overly broad pull-requests: write from workflow-level permissions
- Fix template injection in all-checks-pass job by passing needs results
  via env vars rather than inline ${{ }} expressions
- Move Turso secrets from job-level env to step-level env to reduce
  exposure surface (secrets-outside-env)
- Replace dtolnay/rust-toolchain action with direct rustup script calls
  as recommended (superfluous-actions)
- Replace softprops/action-gh-release action with gh release CLI call

Remaining findings: 4 medium secrets-outside-env warnings for Turso secrets,
which require configuring a GitHub Deployment Environment in repo settings.

https://claude.ai/code/session_01EUdjWCLtSWQYY5j4yc8Qb5
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 15, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f970627b-b3b6-4ef8-ac9c-872d979bec09

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/zizmor-security-improvements-TYtjO
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can generate a title for your PR based on the changes with custom instructions.

Set the reviews.auto_title_instructions setting to generate a title for your PR based on the changes in the PR with custom instructions.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 15, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 19, 2026
View reviewed changes
@ocean ocean merged commit 166dc9d into dev Mar 20, 2026
13 checks passed
@ocean ocean deleted the claude/zizmor-security-improvements-TYtjO branch March 20, 2026 06:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ocean @claude