Skip to content

Add zizmor for gh action security analysis#10949

Open
coreycb wants to merge 1 commit intothunderbird:mainfrom
coreycb:zizmor
Open

Add zizmor for gh action security analysis#10949
coreycb wants to merge 1 commit intothunderbird:mainfrom
coreycb:zizmor

Conversation

@coreycb
Copy link
Copy Markdown
Collaborator

@coreycb coreycb commented Apr 27, 2026

Also fix the following zizmor issues:

  • Add persist-credentials: false to all actions/checkout steps (artipacked)
  • Fix template injection in pr-request-report-labels.yml by moving pull_request context values to env variables instead of inline expressions
  • Replace secrets: inherit in build-daily.yml with explicit secret passing, and declare secrets in shippable_builds.yml workflow_call
  • Replace softprops/action-gh-release with gh release create in shippable_builds.yml (superfluous-actions)
  • Fix spoofable bot actor check in pr-dependabot-dependency-guard-update.yml
  • Fix various issues to tighten up pull_request_target workflows

@coreycb
Add zizmor for gh action security analysis
ac8e3a8 
Also fix the following zizmor issues:
- Add persist-credentials: false to all actions/checkout steps (artipacked)
- Fix template injection in pr-request-report-labels.yml by moving
  pull_request context values to env variables instead of inline expressions
- Replace secrets: inherit in build-daily.yml with explicit secret passing,
  and declare secrets in shippable_builds.yml workflow_call
- Replace softprops/action-gh-release with gh release create in
  shippable_builds.yml (superfluous-actions)
- Fix spoofable bot actor check in pr-dependabot-dependency-guard-update.yml
- Fix various issues in pull_request_target workflows
@coreycb coreycb requested a review from a team as a code owner April 27, 2026 01:00
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 27, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@dandarnell
Copy link
Copy Markdown
Contributor

dandarnell commented Apr 27, 2026

I'm not 100% of the caveats, but setting persist-credentials to false breaks checkouts when using SSH. Setting it on comm-l10n-unified broke its mirror action, and I suspect it might break actions here as well.

@coreycb
Copy link
Copy Markdown
Collaborator Author

coreycb commented Apr 27, 2026

I'm not 100% of the caveats, but setting persist-credentials to false breaks checkouts when using SSH. Setting it on comm-l10n-unified broke its mirror action, and I suspect it might break actions here as well.

Yeah these changes are almost guaranteed to break something. Maybe they should be phased in to limit the impact. I can split into different patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@coreycb @github-advanced-security @dandarnell