Skip to content

fix(ci): GitHub Actions security hardening#21

Open
stevebeattie wants to merge 4 commits into
wolfi-dev:mainfrom
stevebeattie:security/psec-923-community
Open

fix(ci): GitHub Actions security hardening#21
stevebeattie wants to merge 4 commits into
wolfi-dev:mainfrom
stevebeattie:security/psec-923-community

Conversation

@stevebeattie

Copy link
Copy Markdown
Member

This PR applies GitHub Actions hardening fixes to the Action Lint workflow,
surfaced by static analysis (zizmor).

What this changes

  • Least-privilege permissions on the Action Lint workflow — a top-level
    deny-all default with only the permissions the job actually needs.
  • persist-credentials: false on checkout — the job doesn't push back, so
    the persisted GITHUB_TOKEN is unnecessary.
  • Repo-level zizmor config disabling cosmetic pedantic-only rules, plus a
    dependabot-cooldown threshold.
  • Dependabot coverage (.github/dependabot.yml). The workflow pins its
    actions to commit SHAs but the repo had no dependabot config; adds weekly
    github-actions update coverage with a 3-day cooldown.

Test plan

  • zizmor .github/ — clean after these changes.
  • actionlint — workflow still parses with no errors.

Refs: PSEC-923

…flow

Refs: PSEC-923
Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3
Skills-Applied: excessive-permissions
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923
Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3
Skills-Applied: artipacked
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923
Generated-By: claude-guard chain 9facdbc54c749b676c74e197377209d3
Skills-Applied: zizmor-config
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
The Action Lint workflow pins its actions to commit SHAs but the repo had no
dependabot.yml, so those pins had no automated freshness mechanism. Add weekly
github-actions update coverage with a 3-day cooldown, and declare the matching
dependabot-cooldown threshold in .github/zizmor.yml.

Generated-By: claude-guard
@stevebeattie stevebeattie requested review from egibs and eslerm July 2, 2026 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants