Skip to content

fix: additional zizmor security warnings #2546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
brynary wants to merge 1 commit into
base: bh-zizmore-autofix
Choose a base branch
from
Draft

fix: additional zizmor security warnings #2546

brynary wants to merge 1 commit into from

Conversation

@brynary
Copy link
Member

@brynary brynary commented Nov 29, 2025

Summary

Fixes several zizmor security warnings in GitHub Actions workflows:

  • excessive-permissions in test fixtures - Added permissions: {} to actionlint and zizmor test fixture files
  • secrets-inherit - Replaced secrets: inherit with explicit secret passing in release.yml and build.yml (added secrets declarations to workflow_call sections)
  • template-injection - Fixed in prepare_release.yml by moving user input to env var
  • obfuscation - Fixed in release.yml by replacing dead code expression with empty string
  • unpinned-images - Pinned container images to SHA256 digests in cli_integration.yml and installer_test.yml

Note on unpinned-images

The unpinned-images fix pins the actual image values in the matrix, but zizmor still reports warnings because it cannot trace through matrix variable expansion (${{ matrix.container }}). This needs further review to determine if we should:

  • Add zizmor ignore comments
  • Restructure workflows to avoid matrix for containers
  • Accept as false positives

Test plan

  • Verify workflows run successfully
  • Check zizmor output for remaining warnings

🤖 Generated with Claude Code

@github-actions
Copy link
Contributor

github-actions bot commented Nov 29, 2025

No issue mentions found. Please mention an issue in the pull request description.

Use GitHub automation to close the issue when a PR is merged

@qltysh
Copy link
Contributor

qltysh bot commented Nov 29, 2025

Diff Coverage for ubuntu-latest: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage for ubuntu-latest: This PR will not change total coverage.

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@qltysh
Copy link
Contributor

qltysh bot commented Nov 29, 2025

Diff Coverage for macos-15: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage for macos-15: This PR will not change total coverage.

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brynary