Add zizmor GitHub Actions security scanning#3421
Conversation
Introduce zizmor CI, policy config (hash-pin third-party actions; ref-pin actions/* and elastic/*), and remediations so workflows pass local audit cleanly. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Mpdreamz
had a problem deploying
to
integration-tests
GitHub Actions
Error
Replace file-level template-injection suppressions with per-site comments so each ignored expansion is visible in review. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Mpdreamz
had a problem deploying
to
integration-tests
GitHub Actions
Error
Align github-actions and nuget with npm (reakaleek review). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Mpdreamz
had a problem deploying
to
integration-tests
GitHub Actions
Error
Correct ref-version-mismatch that caused zizmor CI to exit 13. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Mpdreamz
had a problem deploying
to
integration-tests
GitHub Actions
Error
|
Warning Review limit reached
More reviews will be available in 49 minutes and 56 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (8)
📝 WalkthroughWalkthroughThis PR implements comprehensive security hardening for GitHub Actions workflows by introducing Zizmor security scanning, disabling credential persistence across all workflows, scoping permissions to least-privilege at the job level, and pinning action versions to specific commit SHAs. Additional changes include updating Dependabot configuration with cooldown settings, refactoring environment variable handling in the update-link-index action, and adjusting workflow debugging output to use shell environment variables. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/create-major-tag.yml (1)
18-28:⚠️ Potential issue | 🔴 Critical | ⚡ Quick win
git pushwill fail without credentials.Setting
persist-credentials: falseremoves the GITHUB_TOKEN from git config after checkout. Thegit pushat line 28 will fail with an authentication error since no credentials are configured.Options:
- Remove
persist-credentials: falsefor this workflow (it needs write access for tagging)- Explicitly configure credentials before push
🐛 Option 2: Explicitly configure credentials
- uses: actions/checkout@v6 - with: - persist-credentials: false - name: Get major version run: | MAJOR_VERSION=$(echo "${GITHUB_REF#refs/tags/}" | awk -F. '{print $1}') echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}" - name: Create major tag + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]`@users.noreply.github.com`" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}`@github.com/`${{ github.repository }}.git" git tag "v${MAJOR_VERSION}" git push -f origin "refs/tags/v${MAJOR_VERSION}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/create-major-tag.yml around lines 18 - 28, The workflow currently disables credentials in the checkout step (persist-credentials: false) but later runs the "Create major tag" step which runs git push using MAJOR_VERSION; restore or provide credentials so git push succeeds: either remove or set persist-credentials to true on the actions/checkout@v6 step, or add a step before the "Create major tag" step to configure git credentials using the GITHUB_TOKEN (e.g., set git remote auth or run actions/setup-auth) so the git tag "v${MAJOR_VERSION}" push can authenticate successfully.
🧹 Nitpick comments (1)
.github/workflows/docs-preview-local.yml (1)
114-114: 💤 Low valueInconsistent: unpinning
actions/github-scriptwhile other actions are being SHA-pinned.This PR pins third-party actions to SHAs for security, but this change moves from a pinned reference back to
@v8. This appears inconsistent with the PR's security hardening goals.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs-preview-local.yml at line 114, The workflow currently unpins actions/github-script by using "uses: actions/github-script@v8" while other actions are SHA-pinned; replace that line with a SHA-pinned reference (e.g., "uses: actions/github-script@<commit-sha>") to match the repo's security policy, by finding the latest commit SHA for actions/github-script and updating the uses line so it references that specific SHA instead of "`@v8`".
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/smoke-test.yml:
- Around line 47-49: The test command using the env var
STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH is unquoted and uses "==" which
breaks when landing-page-path-output is empty; update the run step that
currently says `test ${STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH} == ${{
matrix.landing-page-path-output }}` to quote both operands and use a
POSIX-compatible equals operator so it becomes `test
"${STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH}" = "${{
matrix.landing-page-path-output }}"`, ensuring empty values do not produce a
"unary operator expected" error.
---
Outside diff comments:
In @.github/workflows/create-major-tag.yml:
- Around line 18-28: The workflow currently disables credentials in the checkout
step (persist-credentials: false) but later runs the "Create major tag" step
which runs git push using MAJOR_VERSION; restore or provide credentials so git
push succeeds: either remove or set persist-credentials to true on the
actions/checkout@v6 step, or add a step before the "Create major tag" step to
configure git credentials using the GITHUB_TOKEN (e.g., set git remote auth or
run actions/setup-auth) so the git tag "v${MAJOR_VERSION}" push can authenticate
successfully.
---
Nitpick comments:
In @.github/workflows/docs-preview-local.yml:
- Line 114: The workflow currently unpins actions/github-script by using "uses:
actions/github-script@v8" while other actions are SHA-pinned; replace that line
with a SHA-pinned reference (e.g., "uses: actions/github-script@<commit-sha>")
to match the repo's security policy, by finding the latest commit SHA for
actions/github-script and updating the uses line so it references that specific
SHA instead of "`@v8`".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 3c237bd3-c946-4a8f-a720-7ff6684b87f9
📒 Files selected for processing (15)
.github/actions/bootstrap/action.yml.github/dependabot.yml.github/workflows/build-link-index-updater-lambda.yml.github/workflows/ci.yml.github/workflows/create-major-tag.yml.github/workflows/docs-preview-local.yml.github/workflows/license.yml.github/workflows/prerelease.yml.github/workflows/release.yml.github/workflows/required-labels.yml.github/workflows/smoke-test.yml.github/workflows/updatecli.yml.github/workflows/zizmor.yml.github/zizmor.ymlactions/update-link-index/action.yml
Quote landing-page-path test operands and use POSIX '=' so empty matrix values do not break test. Restore checkout credentials for major tag push. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Mpdreamz
temporarily deployed
to
integration-tests
GitHub Actions
Inactive
2 participants
Why
GitHub Actions workflows were not statically audited for common misconfigurations (unpinned third-party actions, credential persistence, overly broad permissions, and related supply-chain risks). Without automated checks, regressions are easy to miss in review.
What
Adds a zizmor CI workflow and
.github/zizmor.ymlpolicy:actions/*andelastic/*may use ref pins; all other actions must be hash-pinned. Applies remediations across existing workflows (third-party SHA pins, scoped permissions, Dependabot cooldown, checkout credential hygiene, and targeted ignores for intentionalpull_request_targetusage) sozizmor .passes locally and in CI.Made with Cursor