ci(workflow): Add zizmor linter and harden GitHub Actions security#1212
ci(workflow): Add zizmor linter and harden GitHub Actions security#1212
Conversation
- Rename lint-action to lint-actionlint for consistency - Add lint-zizmor job using zizmorcore/zizmor-action (SHA-pinned) - Add timeout-minutes to both jobs - zizmor provides security-focused static analysis for GitHub Actions workflows, detecting issues like pull_request_target misuse, expression injection, and overly permissive permissions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix all findings from actionlint and zizmor security linters:
- Add persist-credentials: false to all checkout steps across 14 workflows
- Fix template injection in repomix action by using env vars instead of ${{ inputs.* }}
- Pin Homebrew actions to SHA (50b8c2ab) instead of @main tag
- Add zizmor config to ignore artipacked for schema-update.yml (needs credentials for push)
- Add zizmor linter job and config path to ci.yml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Deploying repomix with
|
| Latest commit: |
ba16033
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://675d8689.repomix.pages.dev |
| Branch Preview URL: | https://ci-add-zizmor-workflow-linte.repomix.pages.dev |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the project's CI/CD security posture by integrating a new security linter, Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (15)
📝 WalkthroughWalkthroughThis PR implements security-focused credential handling improvements across multiple GitHub Actions workflows by disabling credential persistence, introduces a new zizmor linting job in the CI workflow, refactors the repomix action to use environment variables for input substitution, pins Homebrew workflow actions to a specific commit, and adds a configuration rule to exclude schema-update.yml from zizmor processing. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1212 +/- ##
=======================================
Coverage 87.14% 87.14%
=======================================
Files 115 115
Lines 4310 4310
Branches 998 998
=======================================
Hits 3756 3756
Misses 554 554 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively hardens the GitHub Actions workflows by introducing security linters and addressing their findings, such as preventing template injection in repomix/action.yml by using environment variables. The changes are well-aligned with security best practices. I've added a couple of suggestions to further improve the robustness of the repomix action by addressing fragile argument parsing, which can lead to incorrect behavior when inputs contain spaces.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
1 participant
Add actionlint + zizmor security linters to CI and fix all findings across workflows.
Changes
New CI jobs
lint-zizmorjob usingzizmorcore/zizmor-action@v0.5.0(SHA-pinned)lint-action→lint-actionlintfor claritySecurity hardening (zizmor findings)
persist-credentials: falseto allactions/checkoutsteps across 14 workflows.github/actions/repomix/action.ymlby converting${{ inputs.* }}to environment variablesHomebrew/actions/*@mainto SHA50b8c2abto prevent tag-rewriting supply chain attacks.github/zizmor.ymlconfig to ignoreartipackedforschema-update.yml(needs credentials forgit-auto-commit-actionpush)Checklist
npm run testnpm run lint🤖 Generated with Claude Code