Harden GitHub Actions workflows and add a zizmor security gate#102
Conversation
Pin every action by full commit SHA with a version comment, set least-privilege top-level permissions with per-job overrides, add concurrency groups, keep checkouts credential-free, pass matrix values into run steps through env vars to avoid template injection, and add a Dependabot cooldown. Behavior is unchanged; this makes the workflows pass zizmor's pedantic audit.
Add a zizmor job (pedantic persona) that audits the GitHub Actions workflows on pull requests and pushes that touch them, plus a zizmor config for justified rule exceptions. Mirrors the setup used in the rsigma project.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
Thanks for the hardening pass. I spotted two workflow issues worth fixing before merge:
|
Remove lookup-only from the bpf-linker cache so an exact cache hit restores ~/.cargo/bin/bpf-linker instead of skipping both the restore and the install and leaving the eBPF build without the linker. Add .github/zizmor.yml to the zizmor workflow's push and pull_request path filters so config-only changes still trigger the audit.
Resolve the ci-cd.yml conflict from the merged rsigma-engine work: keep the hardened workflow (pinned actions, least-privilege permissions, concurrency, credential-free checkouts, env-passed matrix values), carry over main's --features rsigma-engine release builds, and bump the actions/cache reference. The bpf-linker step drops the cache and installs idempotently so an exact hit no longer skips both the restore and the install.
|
Thanks, both fixed, and I rebased the branch onto the current main (which now includes #101).
Conflict: main advanced with the merged RSigma backend and some dependency bumps. I merged main in and resolved the |
Summary
uses:by full commit SHA with a version comment, sets least-privilege permissions (top-level plus per-job overrides), adds concurrency groups, keeps checkouts credential-free, and passes matrix values intorun:steps through env vars to avoid template injection. A Dependabot cooldown is also added. These are hardening-only changes with no behavior change to the build, test, or release jobs.zizmorworkflow-security gate (pedantic persona) that audits the workflows on pull requests and pushes touching.github/workflows/**, plus a.github/zizmor.ymlconfig. All workflows passzizmor --persona=pedanticlocally, with one justified ignore (the release job keepssoftprops/action-gh-releasefor its multi-asset upload and generated notes).Test plan
zizmor --persona=pedantic .github/workflows/reports no findings