Skip to content

[ci] Fixed Github workflow for forks#217

Open
asmodehn wants to merge 3 commits into
openwisp:masterfrom
asmodehn:master
Open

[ci] Fixed Github workflow for forks#217
asmodehn wants to merge 3 commits into
openwisp:masterfrom
asmodehn:master

Conversation

@asmodehn

@asmodehn asmodehn commented Jun 19, 2026

Copy link
Copy Markdown
Member

Run the maintenance github actions workflows only on this repo (avoid running on forks).

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b82820b-f0bc-45f4-ab31-056bd594f5a5

📥 Commits

Reviewing files that changed from the base of the PR and between 0faf810 and 7ab1daa.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📜 Recent review details
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci.yml

[warning] 20-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 25-25: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🛑 Comments failed to post (1)
.github/workflows/ci.yml (1)

20-22: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Checkout of fork PR head lacks persist-credentials: false.

Checking out github.event.pull_request.head.sha (fork-controlled content) while persisting the default GITHUB_TOKEN credentials in .git/config is flagged by zizmor as artipacked. Since this step precedes an artifact upload later in the job, disable credential persistence to avoid the token being retrievable from the workspace.

🔒 Proposed fix
       - uses: actions/checkout@v7
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

Additionally, this checkout/setup-python version bump (v7/v6) isn't mentioned in the AI-generated summary, which only describes the artifact/gating changes — please confirm this is intentional.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      - uses: actions/checkout@v7
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 20 - 22, The checkout step in the CI
workflow is pulling fork-controlled pull request code with default GitHub token
credentials still persisted, which can expose credentials later in the job.
Update the actions/checkout step used with github.event.pull_request.head.sha to
disable credential persistence by setting persist-credentials to false, and keep
the existing ref behavior intact. Also verify whether the actions/checkout and
actions/setup-python version bumps are intentionally omitted from the summary,
since this workflow change should be reflected consistently.

Source: Linters/SAST tools

🔇 Additional comments (3)
.github/workflows/ci.yml (3)

46-54: 🔒 Security & Privacy

Artifact upload correctly captures the make publish output.

Uploading output/ as site-output matches the directory produced by the Makefile's publish target, and correctly decouples build from deploy for the fork-gating fix. The unpinned actions/upload-artifact@v4 (line 50) reference was already flagged in a prior review.


55-81: 🔒 Security & Privacy

Deploy job gating and artifact download logic is correct; pin/permissions gaps remain outstanding.

The job-level if restricting deploy to push events on openwisp/OpenWISP-Website, combined with needs: build and the artifact download into output/, correctly implements the fork-safety objective and preserves the SRC_URL/DST_URL deployment. The unpinned actions (lines 61, 67, 74) and missing explicit permissions block were already raised in a prior review and remain unaddressed here.


82-98: 🔒 Security & Privacy

Cache invalidation dependency/gating change is correct; permissions gap remains outstanding.

Switching needs from build to deploy and using a job-level if instead of step-level push checks is the right approach and removes the redundant build-success condition. The missing explicit permissions block for this job was already flagged in a prior review.


📝 Walkthrough

Walkthrough

The stale PR auto-assignment workflow gains a job-level if condition restricting execution to the openwisp/OpenWISP-Website repository. In the CI workflow, the build job now uploads the generated output/ directory as the site-output artifact. The deploy job is updated to download that artifact before deploying, and both deploy and invalidate-cache jobs switch from per-step if guards to job-level repository/push conditions. The invalidate-cache job's dependency changes from build to deploy.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant BuildJob
  participant GitHubActionsArtifact as site-output artifact
  participant DeployJob
  participant GoogleCloudStorage as Google Cloud Storage
  participant InvalidateCacheJob

  BuildJob->>GitHubActionsArtifact: upload output/
  DeployJob->>GitHubActionsArtifact: download site-output into output/
  DeployJob->>GoogleCloudStorage: gsutil rsync deploy output/
  InvalidateCacheJob->>GoogleCloudStorage: invalidate cache after deploy
Loading

Possibly related PRs

Suggested reviewers

  • nemesifier

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
General Rules ❌ Error ci.yml still checks out github.event.pull_request.head.sha without persist-credentials: false before artifact upload, so fork-controlled code can access the token. Add persist-credentials: false to the checkout step. If the author is external, also ensure the PR targets a validated, labeled issue/project.
✅ Passed checks (7 passed)
Check name Status Explanation
Title check ✅ Passed The title is descriptive and matches the workflow changes to avoid running on forks.
Description check ✅ Passed The description clearly relates to restricting GitHub Actions workflows to this repository.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Bug Fixes ✅ Passed PASS — This PR only changes GitHub Actions workflows to skip repo-specific jobs on forks; the workflow-fix exception applies, so no regression test is expected.
Features ✅ Passed This PR is a workflow-maintenance fix, not a feature request, so issue/docs/tests/screenshots requirements don’t apply.
Changes ✅ Passed Internal workflow gating only; no documented behavior, UI, or public API changed, and no workflow-specific test surface exists.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 55-57: The deploy job and other jobs in the workflow lack explicit
least-privilege permissions declarations, allowing them to inherit overly broad
default GITHUB_TOKEN scope. Add an explicit permissions section at the job level
(or workflow level) for the deploy job and all other affected jobs (as noted at
lines 82-85) to specify only the minimal required permissions. For most
deployment scenarios, you may need to set permissions to read-only or none
depending on what the job actually needs to access. Reference the job names like
deploy and any other jobs mentioned in the comment to add the appropriate
permissions blocks.
- Line 50: Replace all floating version tags for GitHub Actions in the workflow
file with specific commit SHAs to ensure supply chain security. For each of the
four actions (actions/upload-artifact, actions/download-artifact,
google-github-actions/auth, and google-github-actions/setup-gcloud), change the
format from `@vX` tags to `@COMMIT_SHA` format where COMMIT_SHA is the full
immutable commit hash. This prevents potential compromises or unexpected changes
to third-party actions while maintaining the intended functionality.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1265a0ce-777f-4233-b03f-654180e921ca

📥 Commits

Reviewing files that changed from the base of the PR and between 069a615 and 0faf810.

📒 Files selected for processing (2)
  • .github/workflows/bot-autoassign-stale-pr.yml
  • .github/workflows/ci.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml

[warning] 55-80: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[warning] 77-77: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 77-77: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 50-50: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 61-61: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 67-67: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 74-74: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[info] 55-55: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[info] 82-82: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🔇 Additional comments (1)
.github/workflows/bot-autoassign-stale-pr.yml (1)

15-15: LGTM!

Comment thread .github/workflows/ci.yml
run: make publish

- name: Upload build output
uses: actions/upload-artifact@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and examine the relevant lines
if [ -f .github/workflows/ci.yml ]; then
  echo "=== File exists ==="
  wc -l .github/workflows/ci.yml
  echo ""
  echo "=== Lines 45-55 (around line 50) ==="
  sed -n '45,55p' .github/workflows/ci.yml
  echo ""
  echo "=== Lines 56-65 (around line 61) ==="
  sed -n '56,65p' .github/workflows/ci.yml
  echo ""
  echo "=== Lines 62-72 (around line 67) ==="
  sed -n '62,72p' .github/workflows/ci.yml
  echo ""
  echo "=== Lines 69-79 (around line 74) ==="
  sed -n '69,79p' .github/workflows/ci.yml
else
  echo "File not found"
fi

Repository: openwisp/OpenWISP-Website

Length of output: 1561


Pin newly introduced GitHub Actions to commit SHAs for supply-chain integrity.

The workflow uses floating version tags (@v4, @v3) for third-party GitHub Actions, which can be compromised or unexpectedly changed. Pin these to immutable commit SHAs instead:

  • Line 50: actions/upload-artifact@v4
  • Line 61: actions/download-artifact@v4
  • Line 67: google-github-actions/auth@v3
  • Line 74: google-github-actions/setup-gcloud@v3
Suggested change
-      - name: Upload build output
-        uses: actions/upload-artifact@v4
+      - name: Upload build output
+        uses: actions/upload-artifact@<full_commit_sha>

-      - name: Download build output
-        uses: actions/download-artifact@v4
+      - name: Download build output
+        uses: actions/download-artifact@<full_commit_sha>

-      - name: Setup Google Cloud
-        uses: "google-github-actions/auth@v3"
+      - name: Setup Google Cloud
+        uses: "google-github-actions/auth@<full_commit_sha>"

-      - name: Set up Cloud SDK
-        uses: "google-github-actions/setup-gcloud@v3"
+      - name: Set up Cloud SDK
+        uses: "google-github-actions/setup-gcloud@<full_commit_sha>"
🧰 Tools
🪛 zizmor (1.25.2)

[error] 50-50: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 50, Replace all floating version tags for
GitHub Actions in the workflow file with specific commit SHAs to ensure supply
chain security. For each of the four actions (actions/upload-artifact,
actions/download-artifact, google-github-actions/auth, and
google-github-actions/setup-gcloud), change the format from `@vX` tags to
`@COMMIT_SHA` format where COMMIT_SHA is the full immutable commit hash. This
prevents potential compromises or unexpected changes to third-party actions
while maintaining the intended functionality.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
Comment on lines +55 to +57
deploy:
if: github.repository == 'openwisp/OpenWISP-Website' && github.event_name == 'push'
runs-on: ubuntu-24.04

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for CI jobs.

These jobs currently inherit default token permissions. Declare minimal permissions explicitly at workflow or job level to avoid over-broad GITHUB_TOKEN scope.

Suggested change
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-24.04
@@
   deploy:
     if: github.repository == 'openwisp/OpenWISP-Website' && github.event_name == 'push'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
@@
   invalidate-cache:
     runs-on: ubuntu-latest
     if: github.repository == 'openwisp/OpenWISP-Website' && github.event_name == 'push'
+    permissions:
+      contents: read

Also applies to: 82-85

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 55-80: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[info] 55-55: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 55 - 57, The deploy job and other jobs
in the workflow lack explicit least-privilege permissions declarations, allowing
them to inherit overly broad default GITHUB_TOKEN scope. Add an explicit
permissions section at the job level (or workflow level) for the deploy job and
all other affected jobs (as noted at lines 82-85) to specify only the minimal
required permissions. For most deployment scenarios, you may need to set
permissions to read-only or none depending on what the job actually needs to
access. Reference the job names like deploy and any other jobs mentioned in the
comment to add the appropriate permissions blocks.

Source: Linters/SAST tools

@nemesifier nemesifier changed the title [CI] Fixing Github workflow for forks [ci] Fixed Github workflow for forks Jul 3, 2026

@nemesifier nemesifier left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asmodehn can you make the same formatting changes (break line) done elsewhere please?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/ci.yml (1)

20-20: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned action references on new/changed lines.

actions/checkout@v7 (line 20) and actions/setup-python@v6 (line 25) use floating tags rather than immutable commit SHAs. This extends the same supply-chain concern already raised in past reviews for lines 50/61/67/74.

Also applies to: 25-25

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, The workflow still uses floating action
tags in the updated CI job, specifically the actions referenced by checkout and
setup-python. Replace the unpinned references in the CI workflow with immutable
commit SHAs, matching the existing pattern already used elsewhere in the file,
and keep the changes centered around the checkout and setup-python steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 20-22: The checkout step in the CI workflow is pulling
fork-controlled pull request code with default GitHub token credentials still
persisted, which can expose credentials later in the job. Update the
actions/checkout step used with github.event.pull_request.head.sha to disable
credential persistence by setting persist-credentials to false, and keep the
existing ref behavior intact. Also verify whether the actions/checkout and
actions/setup-python version bumps are intentionally omitted from the summary,
since this workflow change should be reflected consistently.

---

Duplicate comments:
In @.github/workflows/ci.yml:
- Line 20: The workflow still uses floating action tags in the updated CI job,
specifically the actions referenced by checkout and setup-python. Replace the
unpinned references in the CI workflow with immutable commit SHAs, matching the
existing pattern already used elsewhere in the file, and keep the changes
centered around the checkout and setup-python steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b82820b-f0bc-45f4-ab31-056bd594f5a5

📥 Commits

Reviewing files that changed from the base of the PR and between 0faf810 and 7ab1daa.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📜 Review details
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci.yml

[warning] 20-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 25-25: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (3)
.github/workflows/ci.yml (3)

46-54: 🔒 Security & Privacy

Artifact upload correctly captures the make publish output.

Uploading output/ as site-output matches the directory produced by the Makefile's publish target, and correctly decouples build from deploy for the fork-gating fix. The unpinned actions/upload-artifact@v4 (line 50) reference was already flagged in a prior review.


55-81: 🔒 Security & Privacy

Deploy job gating and artifact download logic is correct; pin/permissions gaps remain outstanding.

The job-level if restricting deploy to push events on openwisp/OpenWISP-Website, combined with needs: build and the artifact download into output/, correctly implements the fork-safety objective and preserves the SRC_URL/DST_URL deployment. The unpinned actions (lines 61, 67, 74) and missing explicit permissions block were already raised in a prior review and remain unaddressed here.


82-98: 🔒 Security & Privacy

Cache invalidation dependency/gating change is correct; permissions gap remains outstanding.

Switching needs from build to deploy and using a job-level if instead of step-level push checks is the right approach and removes the redundant build-success condition. The missing explicit permissions block for this job was already flagged in a prior review.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/ci.yml (1)

20-20: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned action references on new/changed lines.

actions/checkout@v7 (line 20) and actions/setup-python@v6 (line 25) use floating tags rather than immutable commit SHAs. This extends the same supply-chain concern already raised in past reviews for lines 50/61/67/74.

Also applies to: 25-25

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, The workflow still uses floating action
tags in the updated CI job, specifically the actions referenced by checkout and
setup-python. Replace the unpinned references in the CI workflow with immutable
commit SHAs, matching the existing pattern already used elsewhere in the file,
and keep the changes centered around the checkout and setup-python steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 20-22: The checkout step in the CI workflow is pulling
fork-controlled pull request code with default GitHub token credentials still
persisted, which can expose credentials later in the job. Update the
actions/checkout step used with github.event.pull_request.head.sha to disable
credential persistence by setting persist-credentials to false, and keep the
existing ref behavior intact. Also verify whether the actions/checkout and
actions/setup-python version bumps are intentionally omitted from the summary,
since this workflow change should be reflected consistently.

---

Duplicate comments:
In @.github/workflows/ci.yml:
- Line 20: The workflow still uses floating action tags in the updated CI job,
specifically the actions referenced by checkout and setup-python. Replace the
unpinned references in the CI workflow with immutable commit SHAs, matching the
existing pattern already used elsewhere in the file, and keep the changes
centered around the checkout and setup-python steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6b82820b-f0bc-45f4-ab31-056bd594f5a5

📥 Commits

Reviewing files that changed from the base of the PR and between 0faf810 and 7ab1daa.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📜 Review details
🔇 Additional comments (3)
.github/workflows/ci.yml (3)

46-54: 🔒 Security & Privacy

Artifact upload correctly captures the make publish output.

Uploading output/ as site-output matches the directory produced by the Makefile's publish target, and correctly decouples build from deploy for the fork-gating fix. The unpinned actions/upload-artifact@v4 (line 50) reference was already flagged in a prior review.


55-81: 🔒 Security & Privacy

Deploy job gating and artifact download logic is correct; pin/permissions gaps remain outstanding.

The job-level if restricting deploy to push events on openwisp/OpenWISP-Website, combined with needs: build and the artifact download into output/, correctly implements the fork-safety objective and preserves the SRC_URL/DST_URL deployment. The unpinned actions (lines 61, 67, 74) and missing explicit permissions block were already raised in a prior review and remain unaddressed here.


82-98: 🔒 Security & Privacy

Cache invalidation dependency/gating change is correct; permissions gap remains outstanding.

Switching needs from build to deploy and using a job-level if instead of step-level push checks is the right approach and removes the redundant build-success condition. The missing explicit permissions block for this job was already flagged in a prior review.

🛑 Comments failed to post (1)
.github/workflows/ci.yml (1)

20-22: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Checkout of fork PR head lacks persist-credentials: false.

Checking out github.event.pull_request.head.sha (fork-controlled content) while persisting the default GITHUB_TOKEN credentials in .git/config is flagged by zizmor as artipacked. Since this step precedes an artifact upload later in the job, disable credential persistence to avoid the token being retrievable from the workspace.

🔒 Proposed fix
       - uses: actions/checkout@v7
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

Additionally, this checkout/setup-python version bump (v7/v6) isn't mentioned in the AI-generated summary, which only describes the artifact/gating changes — please confirm this is intentional.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      - uses: actions/checkout@v7
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 20 - 22, The checkout step in the CI
workflow is pulling fork-controlled pull request code with default GitHub token
credentials still persisted, which can expose credentials later in the job.
Update the actions/checkout step used with github.event.pull_request.head.sha to
disable credential persistence by setting persist-credentials to false, and keep
the existing ref behavior intact. Also verify whether the actions/checkout and
actions/setup-python version bumps are intentionally omitted from the summary,
since this workflow change should be reflected consistently.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants