From c18c1c9e1576227ded1f857ef9b53b3b4e2f08e8 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Tue, 12 May 2026 14:20:38 +0000 Subject: [PATCH 1/7] chore(ci): add zizmor workflow for github actions security analysis --- .github/workflows/zizmor.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..a83ac7ce --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,19 @@ +name: zizmor +on: + push: + branches: [main] + pull_request: + paths: ['.github/workflows/**'] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 4b9a846b11ec60a3b9404f720beeafa64b9dbb36 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Tue, 12 May 2026 11:52:27 -0500 Subject: [PATCH 2/7] fix(ci): disable zizmor advanced-security so CI fails on findings --- .github/workflows/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index a83ac7ce..021c2e1c 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -17,3 +17,5 @@ jobs: with: persist-credentials: false - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false From 078575e6a2ad2bec6649be4ababa1a8e74e10f92 Mon Sep 17 00:00:00 2001 From: jdx <216188+jdx@users.noreply.github.com> Date: Tue, 12 May 2026 11:53:05 -0500 Subject: [PATCH 3/7] fix(ci): disable zizmor advanced-security so CI fails on findings From 7485f8e9efbb927811f6161b0a58d293aba83845 Mon Sep 17 00:00:00 2001 From: jdx Date: Tue, 12 May 2026 12:47:41 -0500 Subject: [PATCH 4/7] fix(ci): address zizmor findings (persist-credentials, scoped permissions) - Add persist-credentials: false to all actions/checkout uses - Move workflow-level permissions to job level with workflow-level permissions: {} default --- .github/workflows/coverage.yml | 6 ++++++ .github/workflows/docs.yml | 9 ++++----- .github/workflows/publish-cli.yml | 28 +++++++++++++++++++++++----- .github/workflows/release-plz.yml | 2 ++ .github/workflows/test.yml | 5 +++++ 5 files changed, 40 insertions(+), 10 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index ae4820e4..57d870ff 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -9,14 +9,20 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + env: CARGO_TERM_COLOR: always jobs: coverage: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: rustup update stable - run: rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 29c5c412..676f86bb 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -9,11 +9,7 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages -permissions: - contents: read - pages: write - id-token: write +permissions: {} # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -25,11 +21,14 @@ jobs: # Build job build: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # Not needed if lastUpdated is not enabled + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - name: Setup Pages uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6 diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index 5689d2b0..a4fd28fb 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -1,7 +1,6 @@ name: publish-cli -permissions: - contents: write +permissions: {} on: push: @@ -21,16 +20,21 @@ env: jobs: create-release: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive fetch-depth: 0 + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 + with: + cache: false - name: Create draft release if: ${{ startsWith(github.ref, 'refs/tags/v') }} run: | - TAG_NAME="${{ github.ref_name }}" + TAG_NAME="${GITHUB_REF_NAME}" awk '/^## \[/{if(found) exit; found=1} found{print}' CHANGELOG.md >/tmp/release-notes.txt BODY=$(cat /tmp/release-notes.txt) # GitHub may not have indexed the tag yet after a push. Draft releases @@ -83,14 +87,18 @@ jobs: os: windows-latest build-tool: cargo runs-on: ${{ matrix.os }} + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 with: experimental: true + cache: false - if: matrix.os == 'macos-latest' uses: apple-actions/import-codesign-certs@5142e029c445c10ffc7149d172e540235a065466 # v7 with: @@ -114,24 +122,34 @@ jobs: runs-on: ubuntu-latest needs: [build-and-publish] if: ${{ startsWith(github.ref, 'refs/tags/v') }} + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - - run: gh release edit ${{ github.ref_name }} --draft=false + with: + cache: false + - run: gh release edit ${GITHUB_REF_NAME} --draft=false if: ${{ github.event_name != 'workflow_dispatch' }} enhance-release: runs-on: ubuntu-latest needs: [release] if: ${{ startsWith(github.ref, 'refs/tags/v') }} + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive fetch-depth: 0 + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - - run: communique generate "${{ github.ref_name }}" --github-release + with: + cache: false + - run: communique generate "${GITHUB_REF_NAME}" --github-release env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} - name: Append en.dev sponsor blurb diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index 5dd416b4..00f54139 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -27,9 +27,11 @@ jobs: fetch-depth: 0 submodules: recursive token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} + persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 with: experimental: true + cache: false - run: mise trust --all - run: mise run release-plz env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 30537546..4d226215 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,6 +8,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + env: MISE_EXPERIMENTAL: 1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -15,10 +17,13 @@ env: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: shared-key: test From a9497ca3a96e3ede5eae444414725e78d482f97e Mon Sep 17 00:00:00 2001 From: jdx Date: Tue, 12 May 2026 13:07:22 -0500 Subject: [PATCH 5/7] fix(ci): suppress zizmor impostor-commit on taiki-e/install-action --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 57d870ff..c604b2a9 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -28,7 +28,7 @@ jobs: - run: rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@4c7e9f3bb4ca35f54341be8fc8d3608f71e4d24e # cargo-llvm-cov + uses: taiki-e/install-action@4c7e9f3bb4ca35f54341be8fc8d3608f71e4d24e # zizmor: ignore[impostor-commit] cargo-llvm-cov (tag-only ref by design) - name: Install shells for completion integration tests run: | sudo apt-get update From b7e029d72fe662536c3879569f6b42992d2bd60a Mon Sep 17 00:00:00 2001 From: jdx Date: Tue, 12 May 2026 13:14:20 -0500 Subject: [PATCH 6/7] fix(ci): use double quotes in zizmor.yml paths to match prettier --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 021c2e1c..f78b23fc 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -3,7 +3,7 @@ on: push: branches: [main] pull_request: - paths: ['.github/workflows/**'] + paths: [".github/workflows/**"] permissions: {} From 087e8dd30b85d78151f60c4a874e78cc98e4604c Mon Sep 17 00:00:00 2001 From: jdx Date: Tue, 12 May 2026 13:25:42 -0500 Subject: [PATCH 7/7] fix(ci): quote "${GITHUB_REF_NAME}" in gh release edit (SC2086) --- .github/workflows/publish-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index a4fd28fb..5a06bdf0 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -132,7 +132,7 @@ jobs: - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 with: cache: false - - run: gh release edit ${GITHUB_REF_NAME} --draft=false + - run: gh release edit "${GITHUB_REF_NAME}" --draft=false if: ${{ github.event_name != 'workflow_dispatch' }} enhance-release: runs-on: ubuntu-latest