1
0
Fork 0
mirror of https://github.com/chainguard-dev/clog synced 2026-07-06 22:12:46 +00:00

fix(ci): add persist-credentials: false and zizmor pedantic config (#69)

## Summary

This patch series addresses GitHub Actions security findings in
`chainguard-dev/clog`
as part of the PSEC-923 hardening campaign.

## Patches

### 0001 — `fix(ci): add persist-credentials: false to checkout steps`

Adds `persist-credentials: false` to the `actions/checkout` step in:

- `.github/workflows/go.yml` — build/test job; no downstream git write
operations

The `zizmor.yaml` and `actionlint.yaml` workflows already had
`persist-credentials: false`
on their checkout steps. This patch completes coverage for the remaining
workflow.

Resolves: 1 `artipacked` finding (zizmor)

### 0002 — `fix(ci): add pedantic persona and suppress noisy zizmor
rules`

- Creates `.github/zizmor.yml` disabling three pedantic-only rules that
have no direct
security value (`anonymous-definition`, `concurrency-limits`) and
configuring
  `dependabot-cooldown` to use a 3-day threshold.
- Updates `.github/workflows/zizmor.yaml` to run zizmor with `persona:
pedantic` so
  that all template expansions in `run:` blocks are checked, not just
  attacker-controlled ones.
- Extends the `paths:` trigger in `zizmor.yaml` to include
`.github/zizmor.yml` and
`.github/dependabot.yml`, so that changes to those files trigger the
zizmor check.

Resolves: 3 `concurrency-limits` findings, 1 `anonymous-definition`
finding,
2 `dependabot-cooldown` findings (all suppressed via config)

## Testing

- Validate that the zizmor workflow runs on PRs touching
`.github/zizmor.yml` and
  `.github/dependabot.yml`.
- Confirm zizmor passes in pedantic mode with the new
`.github/zizmor.yml` suppression
  config in place.

Refs: PSEC-923
This commit is contained in:
Steve Beattie 2026-05-05 09:23:50 -07:00 committed by GitHub
parent a29ba6665f
commit e522bdd603
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 16 additions and 0 deletions

View file

@ -24,6 +24,8 @@ jobs:
egress-policy: audit egress-policy: audit
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Set up Go - name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0

View file

@ -9,11 +9,15 @@ on:
paths: paths:
- '.github/workflows/**' - '.github/workflows/**'
- '.github/actions/**' - '.github/actions/**'
- '.github/zizmor.yml'
- '.github/dependabot.yml'
push: push:
branches: ['main'] branches: ['main']
paths: paths:
- '.github/workflows/**' - '.github/workflows/**'
- '.github/actions/**' - '.github/actions/**'
- '.github/zizmor.yml'
- '.github/dependabot.yml'
permissions: {} permissions: {}
@ -42,3 +46,5 @@ jobs:
- name: Run zizmor - name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
persona: pedantic

8
.github/zizmor.yml vendored Normal file
View file

@ -0,0 +1,8 @@
rules:
dependabot-cooldown:
config:
days: 3
anonymous-definition:
disable: true
concurrency-limits:
disable: true