Open
Description
Hi,
This is not a bug. I was reading about code reviews and ended up reading about zizmor.
I run zizmor against the CI copied from README. The minimal example and gave 2 warnings.
This may not be important, as I am a newbie, but I read about some repos using it in their CI. Ruff applied the persist-credentials.
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/ci.yml:30:9
|
30 | - uses: actions/checkout@v4
| ------------------------- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/ci.yml:18:3
|
18 | / syntax_tests:
19 | | name: Syntax Tests (${{ matrix.build }})
... |
33 | | build: ${{ matrix.build }}
34 | | # default_packages: ${{ matrix.packages }}
| | -
| |_____________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
And suggested a fix permissions and persist-credentials.
jobs:
syntax_tests:
name: Syntax Tests (${{ matrix.build }})
runs-on: ubuntu-latest
permissions:
id-token: write
timeout-minutes: 15
strategy:
matrix:
include:
- build: 'latest'
# packages: master
- build: stable
# packages: binary
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: SublimeText/syntax-test-action@v2
with:
build: ${{ matrix.build }}
# default_packages: ${{ matrix.packages }}
Maybe add to README example if useful.
Metadata
Metadata
Assignees
Labels
No labels