ci: port zizmor audit hardening to next (backport of #4200)#4310
Merged
Conversation
MarshallOfSound
approved these changes
Jul 1, 2026
Applies the GitHub Actions security hardening from #4200 (main) to the next branch's reworked workflows: - Add top-level least-privilege `permissions: {}` to ci.yml, release.yml and gh-pages.yml, with scoped `permissions:` on jobs that need write access (the release publish job's existing contents/id-token trusted publishing permissions are preserved). - Add `persist-credentials: false` to every actions/checkout step. - Avoid expression injection in the release step by passing the version through an environment variable. - Mark the add-to-project pull_request_target trigger with a zizmor dangerous-triggers ignore. - Add a dependabot cooldown (default-days: 7). Co-authored-by: Samuel Attard <sattard@anthropic.com> Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
468d1f9 to
68d2139
Compare
erickzhao
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requested by Samuel Attard · Slack thread
This is a backport of the GitHub Actions security hardening done on
mainin #4200 ("ci: fix zizmor audit findings"). Thenextbranch never received that hardening because its workflows were reworked for Forge 8 (ESM, oxc, restructured jobs), so a literal cherry-pick would not apply. The equivalent hardening has been applied tonext's current workflow files instead.Before: Workflows on
nextran with GitHub's default, broadly-scopedGITHUB_TOKENpermissions, and everyactions/checkoutstep persisted its credentials into the local git config (persist-credentialsdefaulted totrue). The release step also interpolated a step output directly into a shell command.After: Each workflow declares a top-level least-privilege
permissions: {}and only grants scoped write access on the specific jobs that need it. Every checkout runs withpersist-credentials: false, and the release version is passed through an environment variable rather than interpolated into the shell command.How:
ci.yml,release.yml,gh-pages.yml: added a top-levelpermissions: {}block; added scopedpermissions:(e.g.contents: read) on jobs that previously relied on default permissions. Thepublishjob's existing trusted-publishing permissions (contents: write,id-token: write) are preserved untouched.persist-credentials: falseto thewith:of everyactions/checkoutstep acrossci.yml(3 steps),release.yml(2 steps), andgh-pages.yml(1 step).release.yml: passed the release version via aSTEPS_VERSION_OUTPUTS_VERSIONenv var into thegh release createcommand instead of inline${{ ... }}interpolation, mirroring ci: fix zizmor audit findings #4200.add-to-project.yml: marked thepull_request_targettrigger with# zizmor: ignore[dangerous-triggers](matching ci: fix zizmor audit findings #4200 andnext's existinglabeler.yml).dependabot.yml: added acooldownstanza withdefault-days: 7, matching ci: fix zizmor audit findings #4200.Action version pins and existing job structure were left unchanged; no action versions were downgraded. Workflows that already declared appropriate permissions and had no checkout step (
labeler.yml,semantic.yml,stale.yml) were not touched, andadd-to-project.ymlalready hadpermissions: {}.Summarize your changes: Backport of the #4200 zizmor security hardening to
next's reworked workflows: least-privilegepermissions,persist-credentials: falseon all checkouts, injection-safe release step, and a dependabot cooldown.Generated by Claude Code