ci: add shared security scanning workflow#1900
Merged
breedx-splk merged 4 commits intoJul 16, 2026
Merged
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
14 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Zizmor GitHub Actions security scanning to this repository by wiring in the OpenTelemetry shared reusable workflow (pinned to an immutable commit), and hardens multiple existing workflows by ensuring actions/checkout does not persist credentials by default.
Changes:
- Add a new
.github/workflows/zizmor.ymlworkflow that runs Zizmor on PRs, pushes tomain/release/*, and a weekly schedule, uploading SARIF to GitHub code scanning. - Update multiple workflows to set
actions/checkoutpersist-credentials: falseto reduce risk of unintended credential reuse in subsequent steps. - Adjust release-branch preparation workflows to explicitly keep credentials where required for
git push, and request PR permissions for the GitHub App token used to open PRs.
PR Merge Tier: Tier 3 (build/CI infrastructure change)
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/zizmor.yml |
Adds reusable Zizmor code scanning workflow invocation pinned to a shared-workflows commit. |
.github/workflows/reusable-workflow-notification.yml |
Disables persisted checkout credentials in reusable notification workflow. |
.github/workflows/reusable-link-check.yml |
Disables persisted checkout credentials in reusable link-check workflow. |
.github/workflows/remove-needs-author-feedback.yaml |
Disables persisted checkout credentials in issue label management workflow. |
.github/workflows/release.yml |
Disables persisted checkout credentials across multiple checkouts in the release workflow. |
.github/workflows/prepare-release-branch.yml |
Disables persisted credentials where not needed; retains them where pushes occur; adjusts GitHub App token permissions for PR creation. |
.github/workflows/pr-check.yaml |
Disables persisted checkout credentials in PR build workflow. |
.github/workflows/gradle-wrapper-validation.yml |
Disables persisted checkout credentials in wrapper validation workflow. |
.github/workflows/fossa.yml |
Disables persisted checkout credentials in FOSSA workflow. |
.github/workflows/draft-change-log-entries.yaml |
Attempts to disable persisted checkout credentials (currently has a YAML issue with duplicate with:). |
.github/workflows/build.yaml |
Disables persisted checkout credentials in build and publish-snapshot jobs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracked in open-telemetry/sig-security#293.
Adds zizmor scanning through the OpenTelemetry shared workflow.
The workflow:
regularpersona on pull requests, pushes tomain,release/*, and a randomized weekly schedule;Zizmor remediation
This change also resolves findings from these zizmor rules:
artipackedgithub-appAfter merge
zizmorcode-scanning result.If enforcement unexpectedly blocks a valid change, restore
require_zizmor = falseinopen-telemetry/adminwhile leaving scanning enabled.