mirror of
https://github.com/chainguard-dev/clog
synced 2026-07-06 22:12:46 +00:00
## Summary This patch series addresses GitHub Actions security findings in `chainguard-dev/clog` as part of the PSEC-923 hardening campaign. ## Patches ### 0001 — `fix(ci): add persist-credentials: false to checkout steps` Adds `persist-credentials: false` to the `actions/checkout` step in: - `.github/workflows/go.yml` — build/test job; no downstream git write operations The `zizmor.yaml` and `actionlint.yaml` workflows already had `persist-credentials: false` on their checkout steps. This patch completes coverage for the remaining workflow. Resolves: 1 `artipacked` finding (zizmor) ### 0002 — `fix(ci): add pedantic persona and suppress noisy zizmor rules` - Creates `.github/zizmor.yml` disabling three pedantic-only rules that have no direct security value (`anonymous-definition`, `concurrency-limits`) and configuring `dependabot-cooldown` to use a 3-day threshold. - Updates `.github/workflows/zizmor.yaml` to run zizmor with `persona: pedantic` so that all template expansions in `run:` blocks are checked, not just attacker-controlled ones. - Extends the `paths:` trigger in `zizmor.yaml` to include `.github/zizmor.yml` and `.github/dependabot.yml`, so that changes to those files trigger the zizmor check. Resolves: 3 `concurrency-limits` findings, 1 `anonymous-definition` finding, 2 `dependabot-cooldown` findings (all suppressed via config) ## Testing - Validate that the zizmor workflow runs on PRs touching `.github/zizmor.yml` and `.github/dependabot.yml`. - Confirm zizmor passes in pedantic mode with the new `.github/zizmor.yml` suppression config in place. Refs: PSEC-923
50 lines
1.3 KiB
YAML
50 lines
1.3 KiB
YAML
# Copyright 2026 Chainguard, Inc.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
name: Zizmor
|
|
|
|
on:
|
|
pull_request:
|
|
branches: ['main']
|
|
paths:
|
|
- '.github/workflows/**'
|
|
- '.github/actions/**'
|
|
- '.github/zizmor.yml'
|
|
- '.github/dependabot.yml'
|
|
push:
|
|
branches: ['main']
|
|
paths:
|
|
- '.github/workflows/**'
|
|
- '.github/actions/**'
|
|
- '.github/zizmor.yml'
|
|
- '.github/dependabot.yml'
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
zizmor:
|
|
name: Zizmor
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read # Required by codeql-action/upload-sarif to get workflow run info
|
|
contents: read # Clone the repository
|
|
security-events: write # Upload SARIF results to Code Scanning
|
|
steps:
|
|
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
api.github.com:443
|
|
github.com:443
|
|
pkg-containers.githubusercontent.com:443
|
|
ghcr.io
|
|
|
|
- name: Check out code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Run zizmor
|
|
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
|
|
with:
|
|
persona: pedantic
|