Skip to content

Commit aa3af19

Browse files
claude[bot]claudeMarshallOfSounddsanders11
authored
ci: port zizmor audit hardening to next (backport of #4200) (#4310)
Applies the GitHub Actions security hardening from #4200 (main) to the next branch's reworked workflows: - Add top-level least-privilege `permissions: {}` to ci.yml, release.yml and gh-pages.yml, with scoped `permissions:` on jobs that need write access (the release publish job's existing contents/id-token trusted publishing permissions are preserved). - Add `persist-credentials: false` to every actions/checkout step. - Avoid expression injection in the release step by passing the version through an environment variable. - Mark the add-to-project pull_request_target trigger with a zizmor dangerous-triggers ignore. - Add a dependabot cooldown (default-days: 7). Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Samuel Attard <sattard@anthropic.com> Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
1 parent 992d61c commit aa3af19

5 files changed

Lines changed: 25 additions & 2 deletions

File tree

.github/dependabot.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,5 @@ updates:
44
directory: '/'
55
schedule:
66
interval: 'monthly'
7+
cooldown:
8+
default-days: 7

.github/workflows/add-to-project.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ on:
44
issues:
55
types:
66
- opened
7-
pull_request_target:
7+
pull_request_target: # zizmor: ignore[dangerous-triggers]
88
types:
99
- opened
1010

.github/workflows/ci.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on:
1212
types: [checks_requested]
1313
workflow_call:
1414

15+
permissions: {}
16+
1517
concurrency:
1618
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
1719
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
@@ -25,6 +27,8 @@ jobs:
2527

2628
- name: Checkout code
2729
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
30+
with:
31+
persist-credentials: false
2832

2933
- name: Setup Node.js
3034
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -72,6 +76,8 @@ jobs:
7276

7377
- name: Checkout code
7478
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
79+
with:
80+
persist-credentials: false
7581

7682
- name: Setup Node.js
7783
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -149,6 +155,8 @@ jobs:
149155

150156
- name: Checkout code
151157
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
158+
with:
159+
persist-credentials: false
152160

153161
- name: Setup Node.js
154162
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

.github/workflows/gh-pages.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,13 @@ on:
66
tags:
77
- v7.**
88

9+
permissions: {}
10+
911
jobs:
1012
deploy:
1113
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1216
concurrency:
1317
group: ${{ github.workflow }}-${{ github.ref }}
1418
steps:
@@ -23,6 +27,7 @@ jobs:
2327
submodules: true
2428
fetch-depth: 0
2529
token: ${{ steps.generate-token.outputs.token }}
30+
persist-credentials: false
2631

2732
- name: Get short SHA for HEAD
2833
id: get-short-sha

.github/workflows/release.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,17 +5,22 @@ on:
55
branches:
66
- next
77

8+
permissions: {}
9+
810
jobs:
911
check-release-criteria:
1012
name: Check Release Criteria
1113
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1216
outputs:
1317
should_release: ${{ steps.check.outputs.should_release }}
1418
steps:
1519
- name: Checkout code
1620
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1721
with:
1822
fetch-depth: 2
23+
persist-credentials: false
1924

2025
- name: Check release criteria
2126
id: check
@@ -94,6 +99,8 @@ jobs:
9499
steps:
95100
- name: Checkout code
96101
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
102+
with:
103+
persist-credentials: false
97104

98105
- name: Setup Node.js
99106
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -123,4 +130,5 @@ jobs:
123130
- name: Create GitHub release
124131
env:
125132
GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).GITHUB_TOKEN }}
126-
run: gh release create "v${{ steps.version.outputs.version }}" --target ${{ github.sha }} --generate-notes --prerelease
133+
STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
134+
run: gh release create "v${STEPS_VERSION_OUTPUTS_VERSION}" --target ${{ github.sha }} --generate-notes --prerelease

0 commit comments

Comments
 (0)