Skip to content

Add zizmor security linting for GitHub Actions workflows #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
strickvl merged 4 commits into from
Jan 20, 2026
Merged

Add zizmor security linting for GitHub Actions workflows #189

strickvl merged 4 commits into from
Jan 20, 2026

Conversation

@strickvl
Copy link
Collaborator

@strickvl strickvl commented Jan 20, 2026

Summary

  • Adds zizmor GitHub Actions security linter to the CI pipeline
  • Configures zizmor to match our security posture (version tags OK, no SHA pinning required)
  • Hardens all workflows with explicit permissions and credential controls

Changes

File Changes
.github/zizmor.yml Config disabling unpinned-uses (SHA pinning overkill) and ignoring false-positive template-injection findings
.github/dependabot.yml Added 7-day cooldown config (zizmor auto-fix)
.github/workflows/ci.yml Added permissions: contents: read, persist-credentials: false, new security-lint job
.github/workflows/release.yml Added permissions: contents: write, persist-credentials: false
.github/workflows/spellcheck.yml Added permissions: contents: read, persist-credentials: false
.github/workflows/test-publish.yml Added permissions: contents: read, persist-credentials: false

Test plan

  • CI passes (including new zizmor security-lint job)
  • Verify zizmor annotations appear on PR if any issues found

@strickvl
Add zizmor security linting for GitHub Actions workflows
26ff06e 
- Add zizmor.yml config disabling SHA pinning (overkill for this repo)
  and ignoring false-positive template-injection findings
- Add explicit permissions blocks to all workflows (least privilege)
- Add persist-credentials: false to all checkout steps
- Add cooldown config to dependabot (auto-fixed by zizmor)
- Add security-lint job to CI workflow running zizmor on PRs
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 20, 2026

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@strickvl
Add setup-uv action before running uvx
0df54c3
@strickvl
Pin all GitHub Actions to SHA hashes for security
61d08ba 
Zizmor auto-fixed all action references to use immutable SHA pins
with version comments (e.g., @abc123 # v6). Dependabot will keep
these updated automatically via the existing github-actions config.
@strickvl
Fix YAML formatting and update CLAUDE.md lint guidance
df1904d 
- Run yamlfix to fix workflow YAML formatting
- Update CLAUDE.md to emphasize running ./scripts/lint.sh before pushing
@strickvl strickvl merged commit ed2c2e4 into develop Jan 20, 2026
5 checks passed
@strickvl strickvl deleted the add-zizmor-config branch January 20, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@strickvl