dangerous-triggers: change persona when permissions are constrained?

[woodruffw]

Filing this so I don't forget about it. Needs more thought.

The risk of a pull_request_target or similar is significantly diminished when permissions: {} or similarly constrained. We should consider emitting a "pedantic" or "auditor"-only finding in these cases.

h/t @MikeMcQuaid for raising 🙂

[MikeMcQuaid]

Perhaps somewhat related: pull_request_target that never actually uses e.g. actions/checkout to checkout the relevant code.

[Holzhaus]

Whe might also allowlist the "official" issue/PR labeler that the GitHub suggests: https://github.com/actions/labeler?tab=readme-ov-file#create-workflow

So if there is only one step, and that step uses: actions/labeler we could reduce the severity.

[woodruffw]

Whe might also allowlist the "official" issue/PR labeler that the GitHub suggests: actions/labeler#create-workflow

So if there is only one step, and that step uses: actions/labeler we could reduce the severity.

Yep. There's a whole slew of these, which effectively generalize into "stencils"/patterns that zizmor should know about as exceptions to general audits. I'm open to ideas on best to express these in a way that's composable across multiple audits 🙂