Incorporate zizmor GitHub Actions security auditing (#69)#73
Merged
Conversation
Closes #69. Adds zizmor (https://docs.zizmor.sh) as a pre-commit hook and a CI workflow, and fixes the high-signal findings it surfaced: - excessive-permissions: add least-privilege 'permissions: contents: read' to CI (top level) and explicit job scopes - artipacked: set persist-credentials: false on checkouts that don't need to push; document persist-credentials: true where a token push is intended - template-injection: move ${{ inputs.* }} / ${{ steps.*.outputs.* }} into env: vars referenced as $VAR in run blocks (release + monthly-release) - cache-poisoning: disable setup-uv caching in the publish workflows .github/zizmor.yml ignores 'unpinned-uses' for now (pinning every action to a commit SHA is tracked as a separate follow-up) so this initial adoption stays focused. Result: zero actionable findings; zizmor passes in pre-commit and CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #69. Incorporates zizmor — a GitHub Actions
static security auditor — as both a pre-commit hook and a CI workflow,
and fixes the high-signal findings it surfaced across the existing workflows.
Why
As an AI-agent-facing tool, workflow supply-chain hardening matters. xarray and
other projects have adopted zizmor for the same reason
(pydata/xarray#11269).
Findings fixed
zizmor initially reported 93 findings (17 medium, 42 high). This PR takes it
to zero actionable findings:
permissions: contents: readto
ci.yml(CI only needs read).persist-credentials: falseoncheckouts that don't push; documented
persist-credentials: trueon thefeedstock checkout that intentionally pushes a branch.
${{ inputs.* }}and${{ steps.*.outputs.* }}expressions intoenv:variables referenced as$VARinrun:blocks (release.yml,monthly-release.yml). This removesthe code-injection surface from user-controllable inputs.
setup-uvcaching (enable-cache: false) inthe publish workflows, where cached artifacts could poison a release build.
What's deferred (documented)
unpinned-uses(pinning every third-party action to a full commit SHA) isignored via
.github/zizmor.ymlfor now and tracked as a separate follow-up, sothis initial adoption stays focused and reviewable.
New files
.github/zizmor.yml— zizmor configuration..github/workflows/zizmor.yml— CI job running zizmor on workflow changes(itself hardened: least-privilege permissions,
persist-credentials: false,no cache).
.pre-commit-config.yaml— adds thezizmorhook.Testing
uvx zizmor .github/workflows/— no actionable findings (35 ignored =unpinned-uses per config, 22 auto-suppressed).
uv run pre-commit run --all-files— all hooks pass, including the new zizmorhook.