Skip to content

Fix zizmor security issues in GitHub Actions workflows #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jezdez wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Fix zizmor security issues in GitHub Actions workflows #361

jezdez wants to merge 10 commits into from

Conversation

@jezdez
Copy link
Member

@jezdez jezdez commented Jan 6, 2026

This PR addresses security issues identified by zizmor in the GitHub Actions workflows.

Changes

  • Added explicit permissions to workflows to follow the principle of least privilege
  • Pinned third-party actions to SHA hashes instead of tags for supply chain security
  • Added persist-credentials: false to checkout actions where appropriate
  • Fixed potential injection vulnerabilities by using environment variables instead of direct interpolation

Security Improvements

These changes help protect against:

  • Privilege escalation via overly permissive workflow tokens
  • Supply chain attacks from compromised action tags
  • Script injection attacks via untrusted input

jezdez added 8 commits January 6, 2026 11:57
@jezdez
Add cooldown configuration to Dependabot updates
c2ec562 
Adds 7-day cooldown period to all Dependabot package ecosystem
entries to prevent excessive update frequency and potential
supply chain attacks through rapid dependency updates.

Detected by: zizmor v1.20.0 (dependabot-cooldown rule)
@jezdez
Add persist-credentials: false to checkout actions
a9eb0d1 
Prevents Git credentials from being persisted in the workflow
environment after checkout, reducing the risk of credential
exposure through artifacts or subsequent steps.

Affected files:
- .github/workflows/labels.yml
- .github/workflows/tests.yml (4 checkouts)
- .github/workflows/update.yml
- check-cla/action.yml

Detected by: zizmor v1.20.0 (artipacked rule)
@jezdez
Add explicit permissions to workflow files
4520650 
Apply least privilege principle by declaring minimal required
permissions for each workflow instead of using default write-all.

Detected by: zizmor v1.20.0 (excessive-permissions rule)
@jezdez
Fix template injection vulnerabilities in shell commands
3f8c449 
Replace direct template expansions with environment variables to
prevent potential code injection attacks. Inputs are now passed
via env vars which are properly escaped by the shell.

Affected files:
- canary-release/action.yml
- combine-durations/action.yml
- create-fork/action.yml
- read-file/action.yml
- template-files/action.yml
- .github/workflows/update.yml

Detected by: zizmor v1.20.0 (template-injection rule)
@jezdez
Fix template injection in github-script and Python steps
8ccee0d 
Use process.env and os.environ to access inputs instead of direct
template expansion in JavaScript and Python code blocks.

Affected files:
- set-commit-status/action.yml
- read-yaml/action.yml
- check-cla/action.yml

Detected by: zizmor v1.20.0 (template-injection rule)
@jezdez
Refactor CLA workflow to use safer workflow_run pattern
241676f 
Split the CLA workflow into two parts for improved security:

1. cla-trigger.yml: Runs on pull_request_target but only saves PR
   metadata (number, author, url, sha) to artifacts. No secrets used.

2. cla.yml: Runs on workflow_run after trigger completes. Downloads
   PR metadata from artifacts and uses secrets safely.

This follows the recommended pattern for secure pull_request_target
usage by separating untrusted PR context from secret access.

Also adds zizmor.yml configuration file with documented suppressions
for intentional dangerous trigger usage in:
- cla-trigger.yml (saves metadata only, no secrets)
- cla.yml (workflow_run with artifact-based PR context)
- project.yml (no code checkout, only adds to project)
@jezdez
Move write permissions to job level in tests.yml
c037ba0 
Permissions for issues:write and pull-requests:write are now
defined at the job level (template-files and analyze jobs) rather
than workflow level, following least privilege principle.
@jezdez
Fix remaining template injection findings
6cd1c66 
Use environment variables instead of direct template expansion:
- stale.yml: Pass stale action outputs via STALE_OUTPUTS env var
- tests.yml: Pass JSON/YAML content via env vars to Python script
@jezdez jezdez requested a review from a team as a code owner January 6, 2026 12:18
@github-project-automation github-project-automation bot moved this to 🆕 New in 🔎 Review Jan 6, 2026
@conda-bot conda-bot added the cla-signed [bot] added once the contributor has signed the CLA label Jan 6, 2026
@conda-bot
Copy link
Contributor

conda-bot commented Jan 6, 2026
edited
Loading

Template Success

Warning

This is what the audit looks like when the templating has no errors.

Templating Audit
  • 🔄 Fetching files from ./templates
    • file1.txt.github_cache/template-files/success/file1.txt
      • ✅ (used) stub1.txt
      • ✅ (used) stub2.txt
      • ❌ (missing) stub3.txt
    • ⚠️ file2.txt.github_cache/template-files/success/file2.txt
      • ✅ (used) stub2.txt
      • ❌ (missing) stub3.txt
      • 📚 (context) variable=value
      • ➕ (optional) optional=
Stub State Count
stub1.txt ✅ (used) 1
stub2.txt ✅ (used) 2
stub3.txt ❌ (missing) 2

Template Error

Warning

This is what the audit looks like when templating results in errors.

Templating Audit
  • 🔄 Fetching files from ./templates
    • file1.txt.github_cache/template-files/error/file1.txt
      • ✅ (used) stub1.txt
      • ✅ (used) stub2.txt
      • ❌ (missing) stub3.txt
    • ❌ Context missing file2.txt.github_cache/template-files/error/file2.txt
      • ✅ (used) stub2.txt
      • ❌ (missing) stub3.txt
      • ❌ (missing) variable=
      • ➕ (optional) optional=
Stub State Count
stub1.txt ✅ (used) 1
stub2.txt ✅ (used) 2
stub3.txt ❌ (missing) 2

Got 1 error(s)

@jezdez
Copy link
Member Author

jezdez commented Jan 6, 2026

The comment above is to be expected because of the change to the template-files action files.

@dbast
Copy link
Member

dbast commented Jan 8, 2026
edited
Loading

@jezdez any reason not to add zizmor as pre-commit hook via?:

  - repo: https://github.com/zizmorcore/zizmor-pre-commit
    rev: v1.20.0
    hooks:
      - id: zizmor

@dbast
Copy link
Member

dbast commented Jan 8, 2026

as this is the central repo maybe adding actionlint is also of additional help to find things before they come to the consumers of the actions:

  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.9
    hooks:
      - id: actionlint

@jezdez
Copy link
Member Author

jezdez commented Jan 9, 2026
edited
Loading

No, these are good ideas, you're right! But adding the actions wouldn't have made these changes

@kenodegard
Copy link
Contributor

kenodegard commented Jan 16, 2026
edited
Loading

Cannot make changes to the following here (as they're synced from conda/infrastructure):

  • cla.yml
  • issues.yml
  • labels.yml
  • project.yml
  • stale.yml
  • update.yml

edit: but I'm starting to wonder if some of the workflows should be synced from here instead, e.g., it makes more sense for the cla workflow to live here alongside the cla action?

@kenodegard
Copy link
Contributor

kenodegard commented Jan 16, 2026

Can we combine cla-trigger with cla? Isn't it possible to define permissions per job instead of on the workflow level?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-signed [bot] added once the contributor has signed the CLA

Projects

🔎 Review
Status: 🆕 New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jezdez @conda-bot @dbast @kenodegard