Skip to content

chore(ci): harden GitHub Actions workflow security#195

Merged
thejoeejoee merged 1 commit into
mainfrom
chore/harden-gh-actions-security
Jun 25, 2026
Merged

chore(ci): harden GitHub Actions workflow security#195
thejoeejoee merged 1 commit into
mainfrom
chore/harden-gh-actions-security

Conversation

@thejoeejoee

Copy link
Copy Markdown
Collaborator

Zizmor audit fixes (v1.26.1): 32 → 13 findings (0 high, 1 medium).

  • Add permissions: contents: read to ci.yml and nix.yml
  • Move workflow-level contents: write + pull-requests: write to per-job scope in release-please.yml
  • Add persist-credentials: false to all checkout steps (except nix-vendor-hash.yml which needs credentials for create-pull-request)
  • Disable Go module cache in release workflows to prevent cache poisoning of published binaries
  • Use env var for tag_name interpolation to prevent template injection

Copilot AI review requested due to automatic review settings June 22, 2026 14:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens GitHub Actions workflow security across the CI and release pipelines by reducing default token permissions, preventing credential persistence during checkout, and mitigating supply-chain risks in release jobs.

Changes:

  • Scoped GITHUB_TOKEN permissions more tightly (workflow-level contents: read for CI/Nix; job-level write permissions only where required in Release Please).
  • Added persist-credentials: false to checkout steps to avoid leaving credentials in the workspace.
  • Disabled actions/setup-go caching in release workflows and moved tag interpolation into an env var to reduce injection/cache-poisoning risk.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/ci.yml Adds workflow contents: read and disables persisted checkout credentials across CI jobs.
.github/workflows/nix.yml Adds workflow contents: read and disables persisted checkout credentials for the Nix build workflow.
.github/workflows/release-please.yml Moves write permissions to the release-please job, disables persisted checkout credentials, disables Go cache in release job, and hardens tag substitution.
.github/workflows/release.yml Disables persisted checkout credentials and disables Go module cache for the manual re-release workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@thejoeejoee thejoeejoee merged commit 75846ee into main Jun 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants