ci: harden github actions workflows against zizmor warnings#438
Merged
timothyfroehlich merged 2 commits intoJun 25, 2026
Merged
Conversation
* Enforce principle of least privilege by adding explicit read-only permissions to all workflows. * Disable git credential persistence in checkouts. * Add concurrency rules to cancel obsolete workflows. * Name all jobs for better UI visibility. * Fix matrix template injection using env variables. Written by Antigravity.
Written by Antigravity.
xyarco
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR implements security hardening across all GitHub Actions workflows in the repository to align with modern security best practices and prevent potential supply chain or CI/CD vulnerabilities.
Changes
Enforce Principle of Least Privilege (Granular Permissions):
permissionsblocks to all workflows to restrict the default scope of theGITHUB_TOKEN.contents: readby default.pull-requests: readonly to theCIworkflow, which is specifically required bydorny/paths-filterto fetch file diffs via the GitHub API for pull requests.Disable Git Credential Persistence:
persist-credentials: falseon allactions/checkoutsteps across all 5 workflows. This ensures theGITHUB_TOKENis not stored in the runner's local Git configuration, preventing subsequent build steps or third-party actions from accessing it.Add Concurrency Controls:
concurrencygroups in entrypoint workflows (ci.ymlandgenerate_release_rcs.yml) to automatically cancel in-progress runs when new commits are pushed to the same branch or pull request.Secure Matrix Variable Expansion (Shell Injection Prevention):
oss-licenses.ymlto pass matrix variables (e.g.,${{ matrix.agp-version-key }}) into steps via step-levelenvblocks instead of interpolating them directly into inline shell scriptrunstrings. This ensures the values are handled safely as data rather than executable code.Improve UI Readability:
name:fields to all jobs across the workflows to improve the structure and readability of the GitHub Actions run UI.Verification
zizmorstatic analysis linter with the most sensitive auditing profile (--persona=auditor --min-severity=informational --min-confidence=low), reporting 0 findings.