COPP-8605: Deploy zizmor to open source repos#486
COPP-8605: Deploy zizmor to open source repos#486Lachlan Kidson (lachlankidson) wants to merge 5 commits intomainfrom
Conversation
Lachlan Kidson (lachlankidson)
requested a review
from a team
as a code owner
Lachlan Kidson (lachlankidson)
requested a review
from a team
as a code owner
There was a problem hiding this comment.
Pull request overview
This PR enhances GitHub Actions security by deploying zizmor security scanning and implementing stricter permissions across workflows.
Changes:
- Adds a new zizmor workflow for automated security analysis of GitHub Actions
- Updates all GitHub Actions to use pinned commit SHAs instead of version tags
- Implements least-privilege permissions model with top-level
permissions: {}and job-level grants - Configures dependabot cooldown periods to reduce update frequency
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/zizmor.yml | New workflow for automated GitHub Actions security scanning with zizmor |
| .github/workflows/release.yml | Pins action versions to commit SHAs, adds top-level empty permissions, and disables credential persistence |
| .github/workflows/label-check.yml | Changes trigger from pull_request_target to pull_request, adds empty permissions, and pins action version |
| .github/workflows/ci.yml | Adds empty permissions, disables credential persistence, and pins action versions to commit SHAs |
| .github/dependabot.yaml | Adds 7-day cooldown periods for npm and github-actions updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| on: | ||
| pull_request_target: | ||
| pull_request: |
There was a problem hiding this comment.
Changing from pull_request_target to pull_request may be a security improvement, but could break functionality if this workflow needs access to secrets or write permissions for external PRs. The pull_request_target trigger runs in the context of the base repository with access to secrets, while pull_request runs in the context of the fork for external PRs. Verify that this workflow doesn't require secrets or elevated permissions when triggered by external contributors.
| pull_request: | |
| pull_request_target: |
There was a problem hiding this comment.
This is true, however please see docs.zizmor.sh/audits#dangerous-triggers and determine if this is a risk you are willing to accept. You will need to opt-out of this rule if so.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
You may want to tweak this value, 7 is the zizmor autofix default, see:
COPP-8605
This PR adds zizmor for GitHub Actions scanning on this repo's default branch.
Warning
New
permissionblocks were derived from the annotations of runs in similar repositories (e.g. Skyscanner/bpk-svgs#179) , however this has not been tested for the release workflow. We suspect the permissions are the same - though if possible you may want to perform a release of a dev version to be sure.