Skip to content

ci: harden github actions workflows against zizmor warnings#438

Merged
timothyfroehlich merged 2 commits into
google:mainfrom
timothyfroehlich:froeht/harden-workflows
Jun 25, 2026
Merged

ci: harden github actions workflows against zizmor warnings#438
timothyfroehlich merged 2 commits into
google:mainfrom
timothyfroehlich:froeht/harden-workflows

Conversation

@timothyfroehlich

@timothyfroehlich timothyfroehlich commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

This PR implements security hardening across all GitHub Actions workflows in the repository to align with modern security best practices and prevent potential supply chain or CI/CD vulnerabilities.

Changes

  1. Enforce Principle of Least Privilege (Granular Permissions):

    • Added explicit top-level permissions blocks to all workflows to restrict the default scope of the GITHUB_TOKEN.
    • Restricted all workflows to contents: read by default.
    • Granted pull-requests: read only to the CI workflow, which is specifically required by dorny/paths-filter to fetch file diffs via the GitHub API for pull requests.
  2. Disable Git Credential Persistence:

    • Set persist-credentials: false on all actions/checkout steps across all 5 workflows. This ensures the GITHUB_TOKEN is not stored in the runner's local Git configuration, preventing subsequent build steps or third-party actions from accessing it.
  3. Add Concurrency Controls:

    • Configured top-level concurrency groups in entrypoint workflows (ci.yml and generate_release_rcs.yml) to automatically cancel in-progress runs when new commits are pushed to the same branch or pull request.
  4. Secure Matrix Variable Expansion (Shell Injection Prevention):

    • Updated oss-licenses.yml to pass matrix variables (e.g., ${{ matrix.agp-version-key }}) into steps via step-level env blocks instead of interpolating them directly into inline shell script run strings. This ensures the values are handled safely as data rather than executable code.
  5. Improve UI Readability:

    • Added descriptive, human-readable name: fields to all jobs across the workflows to improve the structure and readability of the GitHub Actions run UI.

Verification

  • Verified locally using the zizmor static analysis linter with the most sensitive auditing profile (--persona=auditor --min-severity=informational --min-confidence=low), reporting 0 findings.

* Enforce principle of least privilege by adding explicit read-only permissions to all workflows.
* Disable git credential persistence in checkouts.
* Add concurrency rules to cancel obsolete workflows.
* Name all jobs for better UI visibility.
* Fix matrix template injection using env variables.

Written by Antigravity.
@timothyfroehlich timothyfroehlich requested a review from xyarco June 25, 2026 21:08
@timothyfroehlich timothyfroehlich enabled auto-merge (squash) June 25, 2026 21:08
@timothyfroehlich timothyfroehlich merged commit e65de3f into google:main Jun 25, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants