Skip to content

chore: add zizmor GitHub Actions security workflow#518

Merged
jkowalleck merged 6 commits intomainfrom
copilot/add-zizmor-to-workflows
May 6, 2026
Merged

chore: add zizmor GitHub Actions security workflow#518
jkowalleck merged 6 commits intomainfrom
copilot/add-zizmor-to-workflows

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 5, 2026
edited
Loading

Description

Adds .github/workflows/zizmor.yml to continuously audit all workflows in .github/workflows/** for security issues using zizmor.

Workflow behaviour

  • pull_request (path-filtered to .github/workflows/**): runs on every PR touching workflow files; job fails on any findings, blocking merge
  • push (path-filtered to .github/workflows/**): runs on every push touching workflow files
  • schedule: weekly full scan every Saturday 00:00 UTC regardless of changes

Implementation details

  • advanced-security: false — emits findings as workflow-command annotations (::error file=…) rather than uploading a SARIF report to GitHub's Security tab; produces a non-zero exit on findings (blocking). Uploading SARIF would require security-events: write and GitHub Advanced Security (GHAS), both of which are unnecessary here and would violate the least-privilege policy. The two modes are mutually exclusive: advanced-security must be false for annotations to take effect.
  • annotations: true — surfaces findings as GitHub PR annotations (up to 10 rendered inline; remainder in job log)
  • persist-credentials: false on checkout
  • Least-privilege: permissions: {} at workflow level, contents: read at job level only
  • timeout-minutes: 10
  • All action refs pinned to full commit SHAs with version comments, matching repo conventions

Also fixes all zizmor findings in the existing nodejs.yml and release.yml workflows:

  • Added persist-credentials: false to all checkout steps
  • Updated actions/setup-node SHA to current v6 tag (48b55a011bda)
  • Fixed DerLev/eslint-annotations impostor SHA → correct v2 SHA (a79ea65c1b45)
  • Replaced softprops/action-gh-release with gh release CLI commands

Resolves or fixes issue: none

AI Tool Disclosure

  • My contribution does not include any AI-generated content
  • My contribution includes AI-generated content, as disclosed below:
    • AI Tools: GitHub Copilot
    • LLMs and versions: Claude Sonnet 4.5
    • Prompts: Create a zizmor GitHub Actions security workflow per the issue spec

Affirmation

Copilot AI linked an issue May 5, 2026 that may be closed by this pull request
chore: Harden all GitHub Workflows using Zizmor #517
Closed
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 5, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

Copilot AI changed the title [WIP] Add Zizmor to harden all GitHub workflows chore: add zizmor GitHub Actions security workflow May 5, 2026
Copilot AI requested a review from jkowalleck May 5, 2026 15:43
jkowalleck
jkowalleck requested changes May 5, 2026
View reviewed changes
Comment thread .github/workflows/zizmor.yml
Comment thread .github/workflows/zizmor.yml
Comment thread .github/workflows/zizmor.yml Outdated
@jkowalleck
Apply suggestions from code review
86f82a1 
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Copilot AI requested a review from jkowalleck May 5, 2026 16:03
@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented May 5, 2026

zizmor has some fingsind

Status: Downloaded newer image for ghcr.io/zizmorcore/zizmor@sha256:128ebbe369a95f9d4427737e794537256095b55f779a247aebc960dc4ea1f7b3
 INFO zizmor: 🌈 zizmor v1.24.1
 WARN audit:audit{input=Workflow(file://./.github/workflows/nodejs.yml)}: zizmor::audit::impostor_commit: fast path impostor check failed for DerLev/eslint-annotations@e75c54a2984700c03d60c5252c9c6a203bf013f5: request error while accessing GitHub API
 INFO audit: zizmor: 🌈 completed ./.github/workflows/nodejs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/zizmor.yml
Warning: nodejs.yml:35: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:81: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:127: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:156: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:186: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:229: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: nodejs.yml:299: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Error: nodejs.yml:110: commit with no history in referenced repository: uses a commit that doesn't belong to the specified org/repo
Warning: nodejs.yml:40: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: nodejs.yml:87: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: nodejs.yml:110: action's hash pin has mismatched or missing version comment: points to commit a79ea65c1b45
Warning: nodejs.yml:133: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: nodejs.yml:162: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: nodejs.yml:234: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: nodejs.yml:304: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: release.yml:44: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:103: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:150: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:174: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
Warning: release.yml:59: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: release.yml:110: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: release.yml:181: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Warning: release.yml:225: action's hash pin has mismatched or missing version comment: points to commit 48b55a011bda
Notice: release.yml:293: action functionality is already included by the runner: use `gh release` in a script step
Error: Process completed with exit code 14.

@copilot fix the findings from zizmor

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 5, 2026

zizmor has some fingsind

...

Fixed in 3ebad30. Changes across nodejs.yml and release.yml:

  • persist-credentials: false added to all checkout steps; the bump job now sets the remote URL with GITHUB_TOKEN explicitly before git push instead of relying on persisted credentials
  • actions/setup-node SHA updated from v6.3.0 (53b83947) to the current v6 tag (48b55a011bda)
  • DerLev/eslint-annotations impostor SHA replaced with the correct v2 SHA (a79ea65c1b45)
  • softprops/action-gh-release replaced with gh release CLI commands

jkowalleck added 2 commits May 5, 2026 18:20
@jkowalleck
Update release.yml
1cf2496 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Update release.yml
11b87ed 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck marked this pull request as ready for review May 5, 2026 16:40
@jkowalleck jkowalleck requested a review from a team as a code owner May 5, 2026 16:40
@jkowalleck
Copy link
Copy Markdown
Member

jkowalleck commented May 5, 2026

@copilot the pr description does not follow the pullrequest template. fix this

jkowalleck
jkowalleck reviewed May 5, 2026
View reviewed changes
Comment thread .github/workflows/release.yml
R_PRERELEASE: ${{ github.event.inputs.prerelease }}
R_TITLE: ${{ needs.bump.outputs.version_plain }}
R_VERSION: ${{ needs.bump.outputs.version }}
run: |
Copy link
Copy Markdown
Member

@jkowalleck jkowalleck May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs manual testing

Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 5, 2026

@copilot the pr description does not follow the pullrequest template. fix this

Updated the PR description to follow the template with the required ### Description, ### AI Tool Disclosure, and ### Affirmation sections.

Copilot AI requested a review from jkowalleck May 5, 2026 16:42
@jkowalleck jkowalleck merged commit b3bbf59 into main May 6, 2026
34 of 38 checks passed
@jkowalleck jkowalleck deleted the copilot/add-zizmor-to-workflows branch May 6, 2026 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck Awaiting requested review from jkowalleck

Assignees

@jkowalleck jkowalleck

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: Harden all GitHub Workflows using Zizmor

2 participants

@jkowalleck