Skip to content

chore(ci): add zizmor workflow for github actions security analysis #633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdx merged 7 commits into from
May 12, 2026
Merged

chore(ci): add zizmor workflow for github actions security analysis #633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c18c1c9
chore(ci): add zizmor workflow for github actions security analysis
jdx May 12, 2026
4b9a846
fix(ci): disable zizmor advanced-security so CI fails on findings
jdx May 12, 2026
078575e
fix(ci): disable zizmor advanced-security so CI fails on findings
jdx May 12, 2026
7485f8e
fix(ci): address zizmor findings (persist-credentials, scoped permiss…
May 12, 2026
a9497ca
fix(ci): suppress zizmor impostor-commit on taiki-e/install-action
May 12, 2026
b7e029d
fix(ci): use double quotes in zizmor.yml paths to match prettier
May 12, 2026
087e8dd
fix(ci): quote "${GITHUB_REF_NAME}" in gh release edit (SC2086)
May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,26 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

env:
CARGO_TERM_COLOR: always

jobs:
coverage:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: rustup update stable
- run: rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@4c7e9f3bb4ca35f54341be8fc8d3608f71e4d24e # cargo-llvm-cov
uses: taiki-e/install-action@4c7e9f3bb4ca35f54341be8fc8d3608f71e4d24e # zizmor: ignore[impostor-commit] cargo-llvm-cov (tag-only ref by design)
- name: Install shells for completion integration tests
run: |
sudo apt-get update
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,7 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
permissions: {}

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
Expand All @@ -25,11 +21,14 @@ jobs:
# Build job
build:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0 # Not needed if lastUpdated is not enabled
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- name: Setup Pages
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6
Expand Down
28 changes: 23 additions & 5 deletions .github/workflows/publish-cli.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: publish-cli

permissions:
contents: write
permissions: {}

on:
push:
Expand All @@ -21,16 +20,21 @@ env:
jobs:
create-release:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
fetch-depth: 0
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
with:
cache: false
- name: Create draft release
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
run: |
TAG_NAME="${{ github.ref_name }}"
TAG_NAME="${GITHUB_REF_NAME}"
awk '/^## \[/{if(found) exit; found=1} found{print}' CHANGELOG.md >/tmp/release-notes.txt
BODY=$(cat /tmp/release-notes.txt)
# GitHub may not have indexed the tag yet after a push. Draft releases
Expand Down Expand Up @@ -83,14 +87,18 @@ jobs:
os: windows-latest
build-tool: cargo
runs-on: ${{ matrix.os }}
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
persist-credentials: false
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
with:
experimental: true
cache: false
- if: matrix.os == 'macos-latest'
uses: apple-actions/import-codesign-certs@5142e029c445c10ffc7149d172e540235a065466 # v7
with:
Expand All @@ -114,24 +122,34 @@ jobs:
runs-on: ubuntu-latest
needs: [build-and-publish]
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: gh release edit ${{ github.ref_name }} --draft=false
with:
cache: false
- run: gh release edit "${GITHUB_REF_NAME}" --draft=false
if: ${{ github.event_name != 'workflow_dispatch' }}
enhance-release:
runs-on: ubuntu-latest
needs: [release]
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
fetch-depth: 0
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: communique generate "${{ github.ref_name }}" --github-release
with:
cache: false
- run: communique generate "${GITHUB_REF_NAME}" --github-release
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Append en.dev sponsor blurb
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release-plz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,11 @@ jobs:
fetch-depth: 0
submodules: recursive
token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
persist-credentials: false
Copy link
Copy Markdown

@cursor cursor Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

persist-credentials: false breaks git push in release workflow

High Severity

Adding persist-credentials: false to the checkout step removes the git credentials that the tasks/release-plz script relies on for git push --tags and git push origin release --force. The token parameter (MY_RELEASE_PLEASE_TOKEN) was specifically passed to the checkout action to persist auth for these downstream git operations. With persist-credentials: false, those push commands will fail with authentication errors, breaking the entire release automation.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7485f8e. Configure here.

Comment on lines 29 to +30
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 persist-credentials: false may break git push in release-plz

actions/checkout is given token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} to fetch, but persist-credentials: false prevents that token from being stored in the git credential helper. If the release-plz CLI relies on the system git credential helper (rather than injecting the token directly into remote URLs via its own git2 call), any git push it performs will fail with an auth error. Verify that release-plz does not depend on the credential helper before landing this change.

Fix in Claude Code

- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
with:
experimental: true
cache: false
- run: mise trust --all
- run: mise run release-plz
env:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,22 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

env:
MISE_EXPERIMENTAL: 1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: recursive
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
shared-key: test
Expand Down
21 changes: 21 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: zizmor
on:
push:
branches: [main]
pull_request:
paths: [".github/workflows/**"]

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
with:
advanced-security: false