Skip to content

Harden GitHub Actions workflows and add a zizmor security gate#102

Merged
Karib0u merged 4 commits into
Karib0u:mainfrom
mostafa:ci/harden-workflows
Jul 2, 2026
Merged

Harden GitHub Actions workflows and add a zizmor security gate#102
Karib0u merged 4 commits into
Karib0u:mainfrom
mostafa:ci/harden-workflows

Conversation

@mostafa

@mostafa mostafa commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Hardens every GitHub Actions workflow: pins each uses: by full commit SHA with a version comment, sets least-privilege permissions (top-level plus per-job overrides), adds concurrency groups, keeps checkouts credential-free, and passes matrix values into run: steps through env vars to avoid template injection. A Dependabot cooldown is also added. These are hardening-only changes with no behavior change to the build, test, or release jobs.
  • Adds a zizmor workflow-security gate (pedantic persona) that audits the workflows on pull requests and pushes touching .github/workflows/**, plus a .github/zizmor.yml config. All workflows pass zizmor --persona=pedantic locally, with one justified ignore (the release job keeps softprops/action-gh-release for its multi-asset upload and generated notes).

Test plan

  • zizmor --persona=pedantic .github/workflows/ reports no findings
  • The existing fmt, clippy, test, and build jobs run unchanged on this PR

mostafa added 2 commits July 2, 2026 11:21
Pin every action by full commit SHA with a version comment, set least-privilege
top-level permissions with per-job overrides, add concurrency groups, keep
checkouts credential-free, pass matrix values into run steps through env vars to
avoid template injection, and add a Dependabot cooldown. Behavior is unchanged;
this makes the workflows pass zizmor's pedantic audit.
Add a zizmor job (pedantic persona) that audits the GitHub Actions workflows on
pull requests and pushes that touch them, plus a zizmor config for justified
rule exceptions. Mirrors the setup used in the rsigma project.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Karib0u

Karib0u commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Thanks for the hardening pass. I spotted two workflow issues worth fixing before merge:

  1. In .github/workflows/ci-cd.yml, the bpf-linker cache uses lookup-only: true, but the install step is skipped when cache-hit == true. On a fresh runner with an exact cache hit, the cache action will not restore ~/.cargo/bin/bpf-linker, yet cargo install bpf-linker will be skipped. Please remove lookup-only for that cache, or gate the install step on the actual binary existing.

  2. In .github/workflows/zizmor.yml, the path filter only includes .github/workflows/**. Since this PR adds .github/zizmor.yml, future changes to the zizmor config alone would not run the zizmor workflow. Please add .github/zizmor.yml to both the push and pull_request path filters.

mostafa added 2 commits July 2, 2026 22:23
Remove lookup-only from the bpf-linker cache so an exact cache hit restores
~/.cargo/bin/bpf-linker instead of skipping both the restore and the install
and leaving the eBPF build without the linker. Add .github/zizmor.yml to the
zizmor workflow's push and pull_request path filters so config-only changes
still trigger the audit.
Resolve the ci-cd.yml conflict from the merged rsigma-engine work: keep the
hardened workflow (pinned actions, least-privilege permissions, concurrency,
credential-free checkouts, env-passed matrix values), carry over main's
--features rsigma-engine release builds, and bump the actions/cache reference.
The bpf-linker step drops the cache and installs idempotently so an exact hit
no longer skips both the restore and the install.
@mostafa

mostafa commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Thanks, both fixed, and I rebased the branch onto the current main (which now includes #101).

  • bpf-linker cache: option A (dropping lookup-only) would let the cache restore, but since this workflow also publishes release artifacts, the zizmor pedantic gate this PR adds flags any restoring cache as a cache-poisoning vector. So I went with your option B and made the install robust instead: the step no longer caches bpf-linker and installs it idempotently (command -v bpf-linker >/dev/null 2>&1 || cargo install bpf-linker). An exact cache hit can no longer skip both the restore and the install, the eBPF build always has the linker, and zizmor stays clean with no new ignores.
  • zizmor path filter: added .github/zizmor.yml to both the push and pull_request paths so config-only changes trigger the audit.

Conflict: main advanced with the merged RSigma backend and some dependency bumps. I merged main in and resolved the ci-cd.yml conflict by keeping the hardened workflow (pinned actions, least-privilege permissions, concurrency, credential-free checkouts, env-passed matrix values) while carrying over main's --features rsigma-engine release builds. The branch is now even with main and the net diff is hardening-only. zizmor --persona=pedantic .github/workflows/ reports no findings.

@Karib0u Karib0u merged commit 59b3f3a into Karib0u:main Jul 2, 2026
15 checks passed
@mostafa mostafa deleted the ci/harden-workflows branch July 2, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants