Skip to content

ci: port zizmor audit hardening to next (backport of #4200)#4310

Merged
erickzhao merged 1 commit into
nextfrom
port-zizmor-hardening
Jul 2, 2026
Merged

ci: port zizmor audit hardening to next (backport of #4200)#4310
erickzhao merged 1 commit into
nextfrom
port-zizmor-hardening

Conversation

@claude

@claude claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Requested by Samuel Attard · Slack thread

This is a backport of the GitHub Actions security hardening done on main in #4200 ("ci: fix zizmor audit findings"). The next branch never received that hardening because its workflows were reworked for Forge 8 (ESM, oxc, restructured jobs), so a literal cherry-pick would not apply. The equivalent hardening has been applied to next's current workflow files instead.

Before: Workflows on next ran with GitHub's default, broadly-scoped GITHUB_TOKEN permissions, and every actions/checkout step persisted its credentials into the local git config (persist-credentials defaulted to true). The release step also interpolated a step output directly into a shell command.

After: Each workflow declares a top-level least-privilege permissions: {} and only grants scoped write access on the specific jobs that need it. Every checkout runs with persist-credentials: false, and the release version is passed through an environment variable rather than interpolated into the shell command.

How:

  • ci.yml, release.yml, gh-pages.yml: added a top-level permissions: {} block; added scoped permissions: (e.g. contents: read) on jobs that previously relied on default permissions. The publish job's existing trusted-publishing permissions (contents: write, id-token: write) are preserved untouched.
  • Added persist-credentials: false to the with: of every actions/checkout step across ci.yml (3 steps), release.yml (2 steps), and gh-pages.yml (1 step).
  • release.yml: passed the release version via a STEPS_VERSION_OUTPUTS_VERSION env var into the gh release create command instead of inline ${{ ... }} interpolation, mirroring ci: fix zizmor audit findings #4200.
  • add-to-project.yml: marked the pull_request_target trigger with # zizmor: ignore[dangerous-triggers] (matching ci: fix zizmor audit findings #4200 and next's existing labeler.yml).
  • dependabot.yml: added a cooldown stanza with default-days: 7, matching ci: fix zizmor audit findings #4200.

Action version pins and existing job structure were left unchanged; no action versions were downgraded. Workflows that already declared appropriate permissions and had no checkout step (labeler.yml, semantic.yml, stale.yml) were not touched, and add-to-project.yml already had permissions: {}.

  • I have read the contribution documentation for this project.
  • I agree to follow the code of conduct that this project follows, as appropriate.
  • The changes are appropriately documented (if applicable).
  • The changes have sufficient test coverage (if applicable).
  • The testsuite passes successfully on my local machine (if applicable).

Summarize your changes: Backport of the #4200 zizmor security hardening to next's reworked workflows: least-privilege permissions, persist-credentials: false on all checkouts, injection-safe release step, and a dependabot cooldown.


Generated by Claude Code

@github-actions github-actions Bot added the next label Jul 1, 2026
@MarshallOfSound MarshallOfSound marked this pull request as ready for review July 1, 2026 18:35
@MarshallOfSound MarshallOfSound requested a review from a team as a code owner July 1, 2026 18:35
Applies the GitHub Actions security hardening from #4200 (main) to the
next branch's reworked workflows:

- Add top-level least-privilege `permissions: {}` to ci.yml, release.yml
  and gh-pages.yml, with scoped `permissions:` on jobs that need write
  access (the release publish job's existing contents/id-token trusted
  publishing permissions are preserved).
- Add `persist-credentials: false` to every actions/checkout step.
- Avoid expression injection in the release step by passing the version
  through an environment variable.
- Mark the add-to-project pull_request_target trigger with a zizmor
  dangerous-triggers ignore.
- Add a dependabot cooldown (default-days: 7).

Co-authored-by: Samuel Attard <sattard@anthropic.com>
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
@claude claude Bot force-pushed the port-zizmor-hardening branch from 468d1f9 to 68d2139 Compare July 2, 2026 17:22
@erickzhao erickzhao merged commit aa3af19 into next Jul 2, 2026
13 checks passed
@erickzhao erickzhao deleted the port-zizmor-hardening branch July 2, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants