[COPP-8605] Deploy zizmor to open source repos#249
[COPP-8605] Deploy zizmor to open source repos#249Lachlan Kidson (lachlankidson) merged 10 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
|
||
| on: | ||
| pull_request_target: | ||
| pull_request: |
There was a problem hiding this comment.
| env: | ||
| CACHE_NAME: node-modules-cache | ||
|
|
||
| permissions: {} |
There was a problem hiding this comment.
Omitting permissions from the workflow and job definitions results in the following from zizmor:
warning[excessive-permissions]: overly broad permissions
This permissions block might look odd, but it addresses the warning and should be the minimum required permissions for this job (See the job summaries of #250)
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
You may want to tweak this value, 7 is the zizmor autofix default, see:
There was a problem hiding this comment.
Pull request overview
This PR adds the zizmor GitHub Actions security scanning tool to the repository and enhances workflow security by pinning action versions to commit SHAs and adding explicit permission controls.
Changes:
- Adds a new zizmor workflow to scan GitHub Actions for security issues
- Updates all workflow files to use commit SHA-pinned action versions instead of tag references
- Adds explicit permission declarations and
persist-credentials: falseto checkout actions across all workflows - Configures Dependabot with a 7-day cooldown period for updates
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/zizmor.yml | New workflow that runs zizmor security scanner on push to main and PRs |
| .github/workflows/release.yml | Pins action versions to SHAs, adds permissions block and persist-credentials: false |
| .github/workflows/pr.yml | Pins action versions to SHAs, adds permissions block and persist-credentials: false |
| .github/workflows/main.yml | Pins action versions to SHAs, adds permissions block and persist-credentials: false |
| .github/workflows/label-check.yml | Changes trigger from pull_request_target to pull_request, pins action version to SHA, adds permissions block |
| .github/workflows/_test.yml | Pins action versions to SHAs, adds persist-credentials: false |
| .github/dependabot.yml | Adds 7-day cooldown period for Dependabot updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
COPP-8605
This PR:
@actionsto latest.Warning
New
permissionblocks were derived from the annotations of runs in #250 , however this has not been tested for the release workflow. We suspect the permissions are the same - though you may want to merge that PR and perform a release of a dev version to be sure.Actions changelogs:
Resolves #250