Skip to content

harden github action workflows#1165

Merged
kodiakhq[bot] merged 7 commits into
masterfrom
cdignam/gha-workflow-hardening
May 24, 2026
Merged

harden github action workflows#1165
kodiakhq[bot] merged 7 commits into
masterfrom
cdignam/gha-workflow-hardening

Conversation

@chdsbd
Copy link
Copy Markdown
Collaborator

@chdsbd chdsbd commented May 23, 2026
edited
Loading

I didn't apply all of the zizmor fixes, because they aren't all necessary.

Cache poisoning isn't a risk with the workflows here.

zizmor --gh-token=$(gh auth token) .github --fix=all

@chdsbd
harden github action workflows
65f2dd4 
```
zizmor --gh-token=$(gh auth token) .github --fix=all
```
chdsbd
chdsbd commented May 23, 2026
View reviewed changes
Comment thread .github/workflows/python.yml Outdated
working-directory: crates/squawk
args: --release --out dist
sccache: "true"
sccache: false
Copy link
Copy Markdown
Collaborator Author

@chdsbd chdsbd May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the tool turns caching off because of cache poisoning: https://docs.zizmor.sh/audits/#cache-poisoning

Copy link
Copy Markdown
Owner

@sbdchd sbdchd May 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/astral-sh/ruff/blob/0df54882ffeffbad9d8a18c6c7c7abdbe4813ea5/.github/workflows/ci.yaml#L304-L320

this is what ruff does

chdsbd
chdsbd commented May 23, 2026
View reviewed changes
Comment thread .github/workflows/rust.yml
Comment on lines +35 to +36
permissions:
contents: write
Copy link
Copy Markdown
Collaborator Author

@chdsbd chdsbd May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we only grant a specific step access to a permission when necessary

@chdsbd chdsbd marked this pull request as ready for review May 24, 2026 17:16
@sbdchd sbdchd added the automerge automerge with kodiak label May 24, 2026
@kodiakhq kodiakhq Bot merged commit 5d0daa8 into master May 24, 2026
33 checks passed
@kodiakhq kodiakhq Bot deleted the cdignam/gha-workflow-hardening branch May 24, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbdchd sbdchd sbdchd approved these changes

Assignees

No one assigned

Labels

automerge automerge with kodiak

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chdsbd @sbdchd