security(ci): harden workflows and add zizmor audit (#572)

kazupon · web-flow · commit f1824decad17 · 2026-05-17T17:27:18.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
@@ -71,6 +72,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
@@ -115,6 +117,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -9,6 +9,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,6 +21,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout codes
+        # zizmor: ignore[artipacked] needs persisted credentials so that
+        # stefanzweifel/git-auto-commit-action can push the changelog commit.
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           ref: ${{ github.head_ref }}
@@ -39,14 +41,16 @@ jobs:
           separator: '/'
 
       - name: Create Github Release
-        run: gh release create ${{ steps.split.outputs._2 }} --generate-notes
+        run: gh release create "$TAG" --generate-notes
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.split.outputs._2 }}
 
       - name: Generate changelog
-        run: pnpx gh-changelogen --repo=intlify/bundle-tools --tag=${{ steps.split.outputs._2 }}
+        run: pnpx gh-changelogen --repo=intlify/bundle-tools --tag="$TAG"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.split.outputs._2 }}
 
       - name: Commit changelog
         uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
diff --git a/.github/workflows/reproduire.yml b/.github/workflows/reproduire.yml
@@ -4,6 +4,7 @@ on:
     types: [labeled]
 
 permissions:
+  contents: read
   issues: write
 
 jobs:
@@ -12,6 +13,8 @@ jobs:
     steps:
       - name: Checkout codes
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
       - uses: Hebilicious/reproduire@4b686ae9cbb72dad60f001d278b6e3b2ce40a9ac # v0.0.9
         with:
           label: 'Status: Need More Info' # Optional, will default to this value.
