Skip to content

Incorporate zizmor GitHub Actions security auditing (#69)#73

Merged
rajeeja merged 1 commit into
mainfrom
rajeeja/zizmor
Jul 13, 2026
Merged

Incorporate zizmor GitHub Actions security auditing (#69)#73
rajeeja merged 1 commit into
mainfrom
rajeeja/zizmor

Conversation

@rajeeja

@rajeeja rajeeja commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

Closes #69. Incorporates zizmor — a GitHub Actions
static security auditor — as both a pre-commit hook and a CI workflow,
and fixes the high-signal findings it surfaced across the existing workflows.

Why

As an AI-agent-facing tool, workflow supply-chain hardening matters. xarray and
other projects have adopted zizmor for the same reason
(pydata/xarray#11269).

Findings fixed

zizmor initially reported 93 findings (17 medium, 42 high). This PR takes it
to zero actionable findings:

  • excessive-permissions — added least-privilege permissions: contents: read
    to ci.yml (CI only needs read).
  • artipacked (credential persistence) — set persist-credentials: false on
    checkouts that don't push; documented persist-credentials: true on the
    feedstock checkout that intentionally pushes a branch.
  • template-injection — moved ${{ inputs.* }} and
    ${{ steps.*.outputs.* }} expressions into env: variables referenced as
    $VAR in run: blocks (release.yml, monthly-release.yml). This removes
    the code-injection surface from user-controllable inputs.
  • cache-poisoning — disabled setup-uv caching (enable-cache: false) in
    the publish workflows, where cached artifacts could poison a release build.

What's deferred (documented)

unpinned-uses (pinning every third-party action to a full commit SHA) is
ignored via .github/zizmor.yml for now and tracked as a separate follow-up, so
this initial adoption stays focused and reviewable.

New files

  • .github/zizmor.yml — zizmor configuration.
  • .github/workflows/zizmor.yml — CI job running zizmor on workflow changes
    (itself hardened: least-privilege permissions, persist-credentials: false,
    no cache).
  • .pre-commit-config.yaml — adds the zizmor hook.

Testing

  • uvx zizmor .github/workflows/no actionable findings (35 ignored =
    unpinned-uses per config, 22 auto-suppressed).
  • uv run pre-commit run --all-files — all hooks pass, including the new zizmor
    hook.
  • Existing test suite unaffected (workflow-only change).

Closes #69. Adds zizmor (https://docs.zizmor.sh) as a pre-commit hook and
a CI workflow, and fixes the high-signal findings it surfaced:

- excessive-permissions: add least-privilege 'permissions: contents: read'
  to CI (top level) and explicit job scopes
- artipacked: set persist-credentials: false on checkouts that don't need
  to push; document persist-credentials: true where a token push is intended
- template-injection: move ${{ inputs.* }} / ${{ steps.*.outputs.* }} into
  env: vars referenced as $VAR in run blocks (release + monthly-release)
- cache-poisoning: disable setup-uv caching in the publish workflows

.github/zizmor.yml ignores 'unpinned-uses' for now (pinning every action to
a commit SHA is tracked as a separate follow-up) so this initial adoption
stays focused. Result: zero actionable findings; zizmor passes in pre-commit
and CI.
@rajeeja
rajeeja merged commit e41c88e into main Jul 13, 2026
8 checks passed
@rajeeja
rajeeja deleted the rajeeja/zizmor branch July 13, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

incorporate zizmor

1 participant