From 68d2139e7b353de29efb557de02766fe8f632df9 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 18:33:25 +0000 Subject: [PATCH] ci: port zizmor audit hardening to next (backport of #4200) Applies the GitHub Actions security hardening from #4200 (main) to the next branch's reworked workflows: - Add top-level least-privilege `permissions: {}` to ci.yml, release.yml and gh-pages.yml, with scoped `permissions:` on jobs that need write access (the release publish job's existing contents/id-token trusted publishing permissions are preserved). - Add `persist-credentials: false` to every actions/checkout step. - Avoid expression injection in the release step by passing the version through an environment variable. - Mark the add-to-project pull_request_target trigger with a zizmor dangerous-triggers ignore. - Add a dependabot cooldown (default-days: 7). Co-authored-by: Samuel Attard Co-authored-by: David Sanders --- .github/dependabot.yml | 2 ++ .github/workflows/add-to-project.yml | 2 +- .github/workflows/ci.yml | 8 ++++++++ .github/workflows/gh-pages.yml | 5 +++++ .github/workflows/release.yml | 10 +++++++++- 5 files changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bc63aca35b..1bc0eb3ff2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: '/' schedule: interval: 'monthly' + cooldown: + default-days: 7 diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 5879ad3efb..677d49a694 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -4,7 +4,7 @@ on: issues: types: - opened - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c12508883..2a396cb75a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ on: types: [checks_requested] workflow_call: +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} @@ -25,6 +27,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -72,6 +76,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -149,6 +155,8 @@ jobs: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 89f73d436c..6c863978c7 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -6,9 +6,13 @@ on: tags: - v7.** +permissions: {} + jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: @@ -23,6 +27,7 @@ jobs: submodules: true fetch-depth: 0 token: ${{ steps.generate-token.outputs.token }} + persist-credentials: false - name: Get short SHA for HEAD id: get-short-sha diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 924e048d39..a2f3f2cd68 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,14 @@ on: branches: - next +permissions: {} + jobs: check-release-criteria: name: Check Release Criteria runs-on: ubuntu-latest + permissions: + contents: read outputs: should_release: ${{ steps.check.outputs.should_release }} steps: @@ -16,6 +20,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 + persist-credentials: false - name: Check release criteria id: check @@ -94,6 +99,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 @@ -123,4 +130,5 @@ jobs: - name: Create GitHub release env: GH_TOKEN: ${{ fromJSON(steps.secret-service.outputs.secrets).GITHUB_TOKEN }} - run: gh release create "v${{ steps.version.outputs.version }}" --target ${{ github.sha }} --generate-notes --prerelease + STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }} + run: gh release create "v${STEPS_VERSION_OUTPUTS_VERSION}" --target ${{ github.sha }} --generate-notes --prerelease