Skip to content

Harden CI workflow per zizmor#21

Merged
williammartin merged 1 commit into
mainfrom
wm-zizmor-push-fixes
May 20, 2026
Merged

Harden CI workflow per zizmor#21
williammartin merged 1 commit into
mainfrom
wm-zizmor-push-fixes

Conversation

@williammartin
Copy link
Copy Markdown
Member

@williammartin williammartin commented May 20, 2026
edited
Loading

Fixes the two zizmor findings on .github/workflows/push.yml:

  • excessive-permissions — added top-level permissions: contents: read so the workflow no longer runs with default-write GITHUB_TOKEN scopes. The job only checks out code and runs go test; read is sufficient.
  • artipacked — added with: persist-credentials: false to the checkout step so the token isn't persisted into .git/config, eliminating a credential-leak vector if a later step ever uploads artifacts.

Verification

Run zizmor with the config below; expect zero findings:

rules:
  unpinned-uses:
    config:
      policies:
        # First-party GitHub-maintained orgs: tag pins are acceptable.
        # Releases from these orgs are signed, retag risk is low, and patch
        # bumps for free outweigh the SHA-pin defense-in-depth here.
        actions/*: ref-pin
        github/*: ref-pin
        dependabot/*: ref-pin
        # Our own shared workflows repo: branch/tag refs are acceptable.
        desktop/gh-cli-and-desktop-shared-workflows/*: ref-pin
        # Everything else must be SHA-pinned.
        "*": hash-pin
  dependabot-cooldown:
    config:
      days: 5
$ zizmor --config <above> .
No findings to report. Good job!

go test ./... still passes.

@williammartin
Harden CI workflow per zizmor
06db288 
- Add top-level 'permissions: contents: read' (fixes excessive-permissions)
- Set 'persist-credentials: false' on actions/checkout (fixes artipacked)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin force-pushed the wm-zizmor-push-fixes branch from 361e838 to 06db288 Compare May 20, 2026 14:11
@williammartin williammartin marked this pull request as ready for review May 20, 2026 14:16
@williammartin williammartin requested a review from a team as a code owner May 20, 2026 14:16
@williammartin williammartin requested review from BagToad and Copilot May 20, 2026 14:16
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the CI workflow by reducing default GITHUB_TOKEN permissions and preventing credential persistence during checkout, addressing the two zizmor findings called out in the PR description.

Changes:

  • Set workflow-wide permissions: contents: read to avoid default write-scoped GITHUB_TOKEN.
  • Configure actions/checkout with persist-credentials: false to avoid writing credentials into .git/config.
Show a summary per file
File Description
.github/workflows/push.yml Limits GITHUB_TOKEN scope to read-only and disables credential persistence on checkout to reduce token exposure risk.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@williammartin williammartin merged commit 1418ef7 into main May 20, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@babakks babakks babakks approved these changes

@BagToad BagToad Awaiting requested review from BagToad BagToad is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@williammartin @babakks