From 170c41112d1bab7b935a0183db2f3f7362484af2 Mon Sep 17 00:00:00 2001 From: Eashwar Ranganathan Date: Tue, 12 May 2026 12:04:22 -0700 Subject: [PATCH 1/4] Use zizmor to scan GitHub actions workflows --- .github/workflows/zizmor.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..aa8259d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 3a1827e0e8f6918be43c07649b3d0a7ce4df2d1c Mon Sep 17 00:00:00 2001 From: Eashwar Ranganathan Date: Tue, 12 May 2026 13:09:26 -0700 Subject: [PATCH 2/4] Pin actions to commit SHA and restrict permissions --- .github/workflows/ansible-ci.yml | 8 +++++-- .../ansible-documentation-release.yml | 4 ++-- .github/workflows/ansible-documentation.yml | 22 +++++++++---------- .github/workflows/ansible-galaxy.yml | 8 +++++-- .github/workflows/ansible-sanity.yml | 6 +++-- .github/workflows/molecule.yml | 10 ++++++--- 6 files changed, 36 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ansible-ci.yml b/.github/workflows/ansible-ci.yml index ff88c92..7b9d63b 100644 --- a/.github/workflows/ansible-ci.yml +++ b/.github/workflows/ansible-ci.yml @@ -17,15 +17,19 @@ env: ANSIBLE_GALAXY_SERVER_GALAXY_TIMEOUT: 120 ANSIBLE_GALAXY_SERVER_LIST: "galaxy" +permissions: {} + jobs: ansible-lint: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Ansible lint - uses: ansible/ansible-lint@v25.12.2 + uses: ansible/ansible-lint@a2bc8b8b13a80802215856c56823d85007d3baf5 # v25.12.2 with: requirements_file: test-requirements.yml diff --git a/.github/workflows/ansible-documentation-release.yml b/.github/workflows/ansible-documentation-release.yml index 24945bf..4b1cd6c 100644 --- a/.github/workflows/ansible-documentation-release.yml +++ b/.github/workflows/ansible-documentation-release.yml @@ -15,7 +15,7 @@ jobs: permissions: contents: read name: build - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general init-project: Hachyderm General Collection @@ -38,7 +38,7 @@ jobs: needs: - build name: publish - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} publish-gh-pages-branch: true diff --git a/.github/workflows/ansible-documentation.yml b/.github/workflows/ansible-documentation.yml index bfd04f2..213b68e 100644 --- a/.github/workflows/ansible-documentation.yml +++ b/.github/workflows/ansible-documentation.yml @@ -11,14 +11,14 @@ on: - synchronize - closed +permissions: {} + jobs: # Validation job runs a strict build to ensure it will fail CI on any mistakes. validate: - permissions: - contents: read name: validate if: github.event.action != 'closed' - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general artifact-upload: false @@ -33,10 +33,12 @@ jobs: if: github.event.action != 'closed' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.13" @@ -71,13 +73,11 @@ jobs: # The build job runs with the most lenient settings to ensure the best chance of getting # a rendered docsite that can be looked at. build: - permissions: - contents: read needs: - validate - docsmith name: build - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: collection-name: hachyderm.general init-project: Hachyderm General Collection @@ -100,7 +100,7 @@ jobs: needs: - build name: publish PR preview - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} action: publish @@ -118,7 +118,7 @@ jobs: name: comment steps: - name: PR comment - uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main + uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: body-includes: '## Docs Build' reactions: heart @@ -159,7 +159,7 @@ jobs: pages: write id-token: write name: cleanup PR preview - uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main + uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main with: artifact-name: ${{ needs.build.outputs.artifact-name }} action: teardown diff --git a/.github/workflows/ansible-galaxy.yml b/.github/workflows/ansible-galaxy.yml index 4cb99b1..957604e 100644 --- a/.github/workflows/ansible-galaxy.yml +++ b/.github/workflows/ansible-galaxy.yml @@ -17,15 +17,19 @@ env: ANSIBLE_GALAXY_SERVER_LIST: "galaxy" ANSIBLE_GALAXY_SERVER_GALAXY_TOKEN: "${{ secrets.ANSIBLE_GALAXY_TOKEN }}" +permissions: {} + jobs: ansible-galaxy: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.13" diff --git a/.github/workflows/ansible-sanity.yml b/.github/workflows/ansible-sanity.yml index e9f9f38..8b02941 100644 --- a/.github/workflows/ansible-sanity.yml +++ b/.github/workflows/ansible-sanity.yml @@ -11,7 +11,9 @@ jobs: ansible-versions: ${{ steps.list-ansible-versions.outputs.ansible-versions }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: List Ansible versions id: list-ansible-versions @@ -32,7 +34,7 @@ jobs: needs.define-versions.outputs.ansible-versions != '' steps: - name: Perform sanity test with ansible-test - uses: ansible-community/ansible-test-gh-action@v1.17.0 + uses: ansible-community/ansible-test-gh-action@d3a8ec7a59694e25e210fcd44738910149537f0e # v1.17.0 with: ansible-core-version: stable-${{ matrix.ansible-version }} testing-type: sanity diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index fedabf3..fb30365 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -17,7 +17,9 @@ jobs: roles: ${{ steps.list-roles.outputs.roles }} steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: List Ansible versions id: list-ansible-versions @@ -47,10 +49,12 @@ jobs: needs.define-versions.outputs.roles != '' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} From d4856c379cbe341a143aa04bf659f38ff5664189 Mon Sep 17 00:00:00 2001 From: Eashwar Ranganathan Date: Tue, 12 May 2026 21:03:04 -0700 Subject: [PATCH 3/4] Address template-injection warnings --- .github/workflows/ansible-galaxy.yml | 2 +- .github/workflows/molecule.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ansible-galaxy.yml b/.github/workflows/ansible-galaxy.yml index 957604e..3de6a6e 100644 --- a/.github/workflows/ansible-galaxy.yml +++ b/.github/workflows/ansible-galaxy.yml @@ -51,7 +51,7 @@ jobs: namespace=$(yq -r ".namespace" < galaxy.yml) name=$(yq -r ".name" < galaxy.yml) version=$(yq -r ".version" < galaxy.yml) - tag=$(echo ${{ github.ref }} | sed 's,refs/tags/,,g') + tag=$(echo ${GITHUB_REF} | sed 's,refs/tags/,,g') if [ "${tag}" != "${version}" ] ; then echo "The version of the collection (${version}) is different than the tag (${tag})" exit 1 diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index fb30365..87938c8 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -63,7 +63,9 @@ jobs: python -m pip install --upgrade pip pip install \ molecule==25.12.0 \ - ansible-core~=${{ matrix.ansible-version }}.0 + ansible-core~=${ANSIBLE_VERSION}.0 + env: + ANSIBLE_VERSION: ${{ matrix.ansible-version }} - name: Install dependencies working-directory: ./roles/${{ matrix.role }} From 8213eca4e3da9fbcbb1e49f07d44ff8797d1610d Mon Sep 17 00:00:00 2001 From: Eashwar Ranganathan Date: Tue, 12 May 2026 21:08:25 -0700 Subject: [PATCH 4/4] Add back permissions I accidentally removed --- .github/workflows/ansible-documentation.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ansible-documentation.yml b/.github/workflows/ansible-documentation.yml index 213b68e..1f230c5 100644 --- a/.github/workflows/ansible-documentation.yml +++ b/.github/workflows/ansible-documentation.yml @@ -16,6 +16,8 @@ permissions: {} jobs: # Validation job runs a strict build to ensure it will fail CI on any mistakes. validate: + permissions: + contents: read name: validate if: github.event.action != 'closed' uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9 # main @@ -73,6 +75,8 @@ jobs: # The build job runs with the most lenient settings to ensure the best chance of getting # a rendered docsite that can be looked at. build: + permissions: + contents: read needs: - validate - docsmith