From 34ebdecb6701e7dbb8ef45e85704536d08898a1d Mon Sep 17 00:00:00 2001 From: ab-ghosh Date: Sat, 4 Apr 2026 15:03:13 +0530 Subject: [PATCH 1/3] ci: fix GitHub Actions security issues found by zizmor Run zizmor --fix=all to auto-fix security findings: - Add persist-credentials: false to all actions/checkout steps (artipacked) - Replace ${{ }} in run: blocks with shell env vars (template-injection) - Disable setup-go cache on schedule-triggered workflow (cache-poisoning) --- .github/workflows/ci.yaml | 21 ++++++++++++++++----- .github/workflows/codeql.yml | 2 ++ .github/workflows/go-coverage.yml | 1 + .github/workflows/goclean.yml | 3 +++ .github/workflows/reusable-e2e.yaml | 4 +++- .github/workflows/test-on-microshift.yaml | 3 ++- 6 files changed, 27 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2aac5c94f1..1f84c52aa6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -31,10 +31,11 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: ${{ steps.base-depth.outputs.base-depth }} + persist-credentials: false - name: detect id: detect run: | - git fetch origin ${{ github.base_ref }} + git fetch origin ${GITHUB_BASE_REF} CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n') echo -e "Changed files:\n${CHANGED_FILES}" @@ -55,6 +56,8 @@ jobs: if: ${{ needs.changes.outputs.non-docs == 'true' }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -69,6 +72,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -102,6 +106,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" @@ -121,10 +127,10 @@ jobs: - name: Check CI results run: | results=( - "build=${{ needs.build.result }}" - "linting=${{ needs.linting.result }}" - "tests=${{ needs.tests.result }}" - "e2e-tests=${{ needs.e2e-tests.result }}" + "build=${NEEDS_BUILD_RESULT}" + "linting=${NEEDS_LINTING_RESULT}" + "tests=${NEEDS_TESTS_RESULT}" + "e2e-tests=${NEEDS_E2E_TESTS_RESULT}" ) failed=0 for r in "${results[@]}"; do @@ -142,3 +148,8 @@ jobs: fi echo "" echo "All CI checks passed" + env: + NEEDS_BUILD_RESULT: ${{ needs.build.result }} + NEEDS_LINTING_RESULT: ${{ needs.linting.result }} + NEEDS_TESTS_RESULT: ${{ needs.tests.result }} + NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1b9d0f80cf..8e5c68c7a5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/go-coverage.yml b/.github/workflows/go-coverage.yml index 339ac72288..0eaaf7a4d9 100644 --- a/.github/workflows/go-coverage.yml +++ b/.github/workflows/go-coverage.yml @@ -38,6 +38,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ github.workspace }}/src/github.com/tektoncd/chains + persist-credentials: false - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 diff --git a/.github/workflows/goclean.yml b/.github/workflows/goclean.yml index d0bdb0d46e..6aee369c2a 100644 --- a/.github/workflows/goclean.yml +++ b/.github/workflows/goclean.yml @@ -25,11 +25,14 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 with: go-version-file: "go.mod" + cache: false - name: go vet run: | diff --git a/.github/workflows/reusable-e2e.yaml b/.github/workflows/reusable-e2e.yaml index be0b462a1e..cd99cc1f87 100644 --- a/.github/workflows/reusable-e2e.yaml +++ b/.github/workflows/reusable-e2e.yaml @@ -36,6 +36,8 @@ jobs: - name: Check out our repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 @@ -53,7 +55,7 @@ jobs: - name: Install Tekton pipelines run: | - while ! kubectl apply --filename ${{ env.TEKTON_PIPELINES_RELEASE }} + while ! kubectl apply --filename ${TEKTON_PIPELINES_RELEASE} do echo "waiting for tekton pipelines to get installed" sleep 2 diff --git a/.github/workflows/test-on-microshift.yaml b/.github/workflows/test-on-microshift.yaml index 3b521ea22e..54ecfe2c2b 100644 --- a/.github/workflows/test-on-microshift.yaml +++ b/.github/workflows/test-on-microshift.yaml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ github.workspace }}/src/github.com/tektoncd/chains + persist-credentials: false - uses: imjasonh/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 @@ -66,4 +67,4 @@ jobs: export KUBECONFIG=$HOME/.kube/config - source ${{ github.workspace }}/src/github.com/tektoncd/chains/test/microshift_test.sh \ No newline at end of file + source ${{ github.workspace }}/src/github.com/tektoncd/chains/test/microshift_test.sh From dabcb91b77dcd3f11ce4df6613bdf8af6fd5d609 Mon Sep 17 00:00:00 2001 From: ab-ghosh Date: Sat, 4 Apr 2026 15:04:10 +0530 Subject: [PATCH 2/3] ci: add zizmor GitHub Actions security analysis Add zizmor workflow that runs on pushes to main and PRs, uploading SARIF results to GitHub Advanced Security. --- .github/workflows/zizmor.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000000..88205a97e1 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,23 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From b60fdd58f1b2a0c7a3ca8f9589d62b5dcb144c86 Mon Sep 17 00:00:00 2001 From: ab-ghosh Date: Sat, 4 Apr 2026 15:09:45 +0530 Subject: [PATCH 3/3] ci: fix remaining zizmor findings (permissions) Scope permissions to job level instead of workflow level: - Move checks: write from workflow level to linting job in ci.yaml - Add permissions: contents: read to goclean.yml - Add permissions: contents: read to kind-e2e.yaml jobs --- .github/workflows/ci.yaml | 4 +++- .github/workflows/goclean.yml | 3 +++ .github/workflows/kind-e2e.yaml | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1f84c52aa6..574e8ec28d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,7 +14,6 @@ defaults: permissions: contents: read - checks: write # Used to annotate code in the PR jobs: changes: @@ -67,6 +66,9 @@ jobs: linting: name: lint runs-on: ubuntu-latest + permissions: + contents: read + checks: write # Used by golangci-lint to annotate code in the PR needs: [changes] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/goclean.yml b/.github/workflows/goclean.yml index 6aee369c2a..1e02bf28a7 100644 --- a/.github/workflows/goclean.yml +++ b/.github/workflows/goclean.yml @@ -1,5 +1,8 @@ name: goclean +permissions: + contents: read + on: push: paths: diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 96b3463cea..1197682032 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -16,6 +16,8 @@ defaults: jobs: k8s: + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ matrix.k8s-version }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -33,6 +35,8 @@ jobs: k8s-version: ${{ matrix.k8s-version }} pipelines-release: v1.2.0 # Latest version pipelines-lts: + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ matrix.pipelines-release }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true