Skip to content

Audit permissions and add zizmor configuration#378

Merged
kattni merged 7 commits into
mainfrom
zizmor
Jul 14, 2026
Merged

Audit permissions and add zizmor configuration#378
kattni merged 7 commits into
mainfrom
zizmor

Conversation

@freakboy3742

@freakboy3742 freakboy3742 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Audits the permission allocations for tasks, and adds a zizmor validation step.

The Zizmor rules being corrected are:

  1. (unpinned-uses) Adding hashes for actions. This prevents an attack by pushing a malicious update (and tag change) to an action repository
  2. (template-injection) Using environment variables instead of direct references to inputs. ${{ }} is interpreted as a direct templated value, so a malicious PR could construct inputs that would exfiltrate credentials, etc.
  3. (excessive-permissions) Adding permissions blocks everywhere
  4. (secrets-inherit) Explicitly request permissions, rather than inheriting
  5. (artipacked) Github credentials are cached on checkout, which potentially gives permission for repo-modifying actions. The key side effect of this is that we no longer push Docker images to the GHCR repository. I'm not seeing any appreciable slowdown in CI as a result of removing the caching layer, though.
  6. (bot-conditions) using github.event.pusher.name rather than github.actor, as the latter can be spoofed by a commit.
  7. (dependabot-cooldown) Add a cooldown on dependabot so that problems with new releases (including malicious releases created by an attacker) can be identified.

Two minor features included here:

  • Renaming the app-create-verify and app-build-verify CI tasks so it's easier to track which one is testing which
  • The app-build-verify task now accepts a "config options" input that can be used to drive additional configuration options when creating new apps. This fell out of the template injection changes, but could be easily extended to support passing other custom options (such as would be needed to do verification of alternate environment managers.

See inline for some other notes.

PR Checklist:

  • I will abide by the BeeWare Code of Conduct
  • I have read and have followed the CONTRIBUTING.md file
  • This PR was generated or assisted using an AI tool
    Assisted-by: Claude Opus 4.8

echo repo_list="$jq_repo_list" >> $GITHUB_OUTPUT
repo_list=$(gh repo list "$GITHUB_REPOSITORY_OWNER" --no-archived --json nameWithOwner --jq ".[].nameWithOwner" -L 500 \
| jq -R -s -c 'split("\n") | map(select(length > 0))')
echo "repo_list=$repo_list" >> "$GITHUB_OUTPUT"

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the old approach, repo_list was a single string, not an array; while it worked, it was mostly accidental. The actual splitting was occurring because of shell handling, which would have been sensitive to special characters (an unlikely situation, but an avoidable one regardless).

@kattni kattni left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@kattni
kattni merged commit 741cc5a into main Jul 14, 2026
79 checks passed
@kattni
kattni deleted the zizmor branch July 14, 2026 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants