Skip to content

chore(ci): add zizmor workflow for github actions security analysis #471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdx merged 3 commits into from
May 12, 2026
Merged

chore(ci): add zizmor workflow for github actions security analysis #471

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9bc0187
chore(ci): add zizmor workflow for github actions security analysis
jdx May 12, 2026
3506831
ci(zizmor): scope push trigger and disable advanced-security
jdx May 12, 2026
d878aee
ci: address zizmor findings across existing workflows
jdx May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/check-dist.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ jobs:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4

Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
- main
- 'releases/*'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
Expand All @@ -20,6 +23,8 @@ jobs:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

# `mise.toml` pins both Node and aube; mise-action installs
# whatever's listed there. Reads `package-lock.json`
Expand All @@ -28,6 +33,8 @@ jobs:
# npm-flat (rollup's `--configPlugin` resolution
# requires this).
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
with:
cache: false

- name: Install Dependencies
id: aube-ci
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Initialize CodeQL
id: initialize
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release-plz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ jobs:
fetch-depth: 0
submodules: recursive
token: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
persist-credentials: false

@cursor cursor Bot May 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing gh auth setup-git breaks git push in release-plz

High Severity

Adding persist-credentials: false to the checkout in release-plz.yml removes stored git credentials, but scripts/release-plz.sh calls git push origin release --force which requires them. Unlike scripts/postversion.sh, which was updated with gh auth setup-git to restore credential access, release-plz.sh has no equivalent workaround. This will cause the release automation to fail with a 403 on every git push.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit d878aee. Configure here.

- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: mise run release-plz
env:
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,21 @@ on:
types: [closed]
branches: [main]

permissions:
contents: write
permissions: {}

jobs:
release:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release')
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
persist-credentials: false

- name: Setup mise
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
Expand All @@ -30,15 +32,18 @@ jobs:
enhance-release:
needs: [release]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- name: Enhance release notes with communique
run: |
TAG_NAME="v$(jq -r .version package.json)"
communique generate "$TAG_NAME" --github-release
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
5 changes: 5 additions & 0 deletions .github/workflows/test-redacted-env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,17 @@ on:
branches: [main]
workflow_dispatch:

permissions:
contents: read

jobs:
test-redacted-env:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Create test mise config with sensitive values
run: |
Expand Down
19 changes: 18 additions & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on: # rebuild any PRs and main branch changes
- main
workflow_dispatch:

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
Expand All @@ -17,6 +20,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
- run: aube install
- run: aubr all
Expand All @@ -43,6 +48,8 @@ jobs:
if: ${{ matrix.requirements }}
run: ${{ matrix.requirements }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup mise
uses: ./
with:
Expand All @@ -65,6 +72,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup mise
uses: ./
with:
Expand All @@ -90,6 +99,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup mise
id: bad
uses: ./
Expand All @@ -107,14 +118,18 @@ jobs:
if: ${{ steps.bad.outcome == 'failure' }}
- name: not failed as expected
run: |
echo "Expected failure but the job was ${{ steps.bad.outcome }}"
echo "Expected failure but the job was ${STEPS_BAD_OUTCOME}"
exit 1
if: ${{ steps.bad.outcome != 'failure' }}
env:
STEPS_BAD_OUTCOME: ${{ steps.bad.outcome }}

custom_cache_key:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup mise with custom cache key
uses: ./
with:
Expand All @@ -132,6 +147,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Setup mise from mise.jdx.dev
uses: ./
with:
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: zizmor
on:
push:
branches: [main]
paths: ['.github/workflows/**']
pull_request:
paths: ['.github/workflows/**']
Comment thread
greptile-apps[bot] marked this conversation as resolved.

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
contents: read
Comment thread
cursor[bot] marked this conversation as resolved.
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
Comment thread
cursor[bot] marked this conversation as resolved.
with:
advanced-security: false
5 changes: 5 additions & 0 deletions scripts/postversion.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ set -euxo pipefail
VERSION=$(jq -r .version package.json)
MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)

# Configure git to use gh's credential helper. The checkout step uses
# persist-credentials: false (per zizmor's artipacked audit), so the
# token isn't written to .git/config and raw `git push` would 403.
gh auth setup-git

# create the version tag (allow it to fail if it already exists)
git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"

Expand Down
Loading