Skip to content

fix(ci): GitHub Actions security hardening#358

Open
stevebeattie wants to merge 3 commits into
wolfi-dev:mainfrom
stevebeattie:security/psec-923-tools
Open

fix(ci): GitHub Actions security hardening#358
stevebeattie wants to merge 3 commits into
wolfi-dev:mainfrom
stevebeattie:security/psec-923-tools

Conversation

@stevebeattie

Copy link
Copy Markdown
Member

This PR applies GitHub Actions hardening fixes across the workflows in
.github/workflows/, surfaced by static analysis (zizmor).

What this changes

  • Template-injection fix. Context expressions interpolated into run:
    blocks in the build workflow are hoisted into env: and referenced as quoted
    shell variables.
  • Least-privilege permissions scoped across the workflows.
  • Repo-level zizmor config + dependabot cooldown disabling cosmetic
    pedantic-only rules and adding a dependabot-cooldown threshold, paired with a
    cooldown.default-days: 3 on the repo's existing .github/dependabot.yaml.

Test plan

  • zizmor .github/ — clean after these changes.
  • actionlint — workflows still parse with no errors.

Refs: PSEC-923

@stevebeattie stevebeattie requested review from egibs and eslerm July 2, 2026 05:15
Refs: PSEC-923
Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8
Skills-Applied: template-injection
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923
Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8
Skills-Applied: excessive-permissions
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
Refs: PSEC-923
Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8
Skills-Applied: zizmor-config
Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967
Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f
@stevebeattie stevebeattie force-pushed the security/psec-923-tools branch from 7484a25 to 81939e3 Compare July 2, 2026 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants