From b27ff917c97bd9d134dbf9b229073a9df2425154 Mon Sep 17 00:00:00 2001 From: Ryan Eberhardt Date: Tue, 24 Mar 2026 22:30:18 -0700 Subject: [PATCH] fix: harden GitHub Actions workflows (zizmor) - Add restrictive permissions: workflow-level `permissions: {}` with minimal per-job grants (contents:read for CI, checks:read for check-ci, id-token:write+contents:read for release) - Upgrade actions/checkout to v6.0.2 with persist-credentials: false in both CI and release workflows to prevent credential leakage - Remove explicit npm cache from release workflow setup-node step to mitigate cache-poisoning risk on tag-push triggers Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/ci.yml | 10 ++++++++-- .github/workflows/release.yml | 9 +++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4abab0..0fce453 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,13 +6,19 @@ on: pull_request: branches: [main] +permissions: {} + jobs: test: runs-on: ubuntu-latest - + permissions: + contents: read + steps: - name: Checkout code - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@89d709d423dc495668cd762a18dd4a070611be3f diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 144a382..cbad55c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,9 +5,13 @@ on: tags: - 'v*.*.*' +permissions: {} + jobs: check-ci: runs-on: ubuntu-latest + permissions: + checks: read steps: - name: Wait for CI to pass id: wait-for-ci @@ -31,13 +35,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@89d709d423dc495668cd762a18dd4a070611be3f with: node-version-file: 'package.json' - cache: 'npm' registry-url: 'https://registry.npmjs.org' - name: Update npm to latest