Skip to content

Github action fixes#719

Merged
mandre merged 9 commits intok-orc:mainfrom
shiftstack:gha-fixes
Mar 25, 2026
Merged

Github action fixes#719
mandre merged 9 commits intok-orc:mainfrom
shiftstack:gha-fixes

Conversation

@mandre
Copy link
Collaborator

@mandre mandre commented Mar 25, 2026

Various fixes for github actions, spotted by zizmor and Christopher Lusk via his Fluxgate tool (https://github.com/north-echo/fluxgate).
Also add a new zizmor github action to scan for potential security risks on workflow changes.

mandre added 9 commits March 24, 2026 12:53
@mandre
ci: fix unsound condition in label-issue workflow
72be082 
The if: condition used two separate ${{ }} expansions with == outside
the expression context, causing the condition to always evaluate to
true. Move the comparison inside a single expression so it is properly
evaluated by the GitHub Actions expression engine.

Reported by zizmor (unsound-condition).
@mandre
ci: fix template injection in label-pr workflow
d9d13ee 
Pass github.base_ref through an environment variable instead of
interpolating it directly into the run block. Direct interpolation of
attacker-controllable context values into shell commands allows code
injection.

Reported by zizmor (template-injection).
@mandre
ci: set persist-credentials: false on all checkout actions
267ac7e 
Prevent the checked-out git repository from retaining the GITHUB_TOKEN
in the git credential store. This reduces the risk of credential
leakage through artifacts or subsequent steps.

Reported by zizmor (artipacked).
@mandre
ci: pin all GitHub Actions to commit SHAs
e712197 
Pin all action references to their full commit hashes instead of
mutable tags. This prevents supply-chain attacks where a compromised
tag could point to malicious code. The original tag is preserved in a
trailing comment for maintainability.

Reported by zizmor (unpinned-uses).
@mandre
ci: scope down workflow permissions to least privilege
f446d0a 
Add explicit empty permissions at the workflow level and grant only
the required permissions at the job level. check-pr-labels needs no
permissions beyond metadata. label-pr moves contents:read and
pull-requests:write from workflow level to only the jobs that need them.

Reported by zizmor (excessive-permissions).
@mandre
ci: split semver analysis from label-pr to fix pull_request_target se…
933c4bb 
…curity issue

The semver job in label-pr.yaml checked out untrusted PR code and
executed it (make go-version, go-apidiff) with access to a
GITHUB_TOKEN that had pull-requests:write permissions. An attacker
could modify the Makefile to exfiltrate the token.

Split into two workflows following GitHub's recommended pattern:
- semver.yaml: triggered by pull_request (read-only permissions),
  runs the analysis and uploads the result as an artifact.
- label-pr.yaml: the semver-label job is triggered by workflow_run
  (when semver.yaml completes), downloads the artifact, and applies
  labels with write permissions. It never checks out untrusted code.

The edits job stays in label-pr.yaml with pull_request_target as
before (it only runs actions/labeler, no code checkout).

Reported-by: Christopher Lusk <clusk@redhat.com>
@mandre
ci: replace pull_request_target with pull_request in check-pr-labels
767d4c7 
This workflow has no permissions, checks out no code, and accesses no
secrets. It only reads the event payload to check for the hold label.
pull_request is sufficient and avoids the security concerns of
pull_request_target.
@mandre
ci: add zizmor ignore comments for legitimate findings
060f823 
Suppress remaining zizmor findings that are intentional:
- dangerous-triggers in backport.yaml: only runs on merged PRs, never
  checks out code.
- dangerous-triggers in label-pr.yaml: pull_request_target only runs
  actions/labeler (no code checkout), workflow_run never executes
  untrusted code.
- secrets-outside-env in backport.yaml, container_image.yaml,
  release_image.yaml, website.yaml: requires GitHub Environments
  which is an infrastructure change outside workflow files.
@mandre
ci: add zizmor workflow for GitHub Actions security scanning
d2ee5de 
Run zizmor via the official zizmorcore/zizmor-action on pushes to main
and pull requests that modify workflow files. Results are uploaded as
SARIF to GitHub's Code Scanning / Security tab.
@github-actions github-actions bot added the semver:patch No API change label Mar 25, 2026
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 25, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@eshulman2
Copy link
Contributor

eshulman2 commented Mar 25, 2026

LGTM

@mandre mandre enabled auto-merge March 25, 2026 15:49
@mandre mandre added this pull request to the merge queue Mar 25, 2026
Merged via the queue into k-orc:main with commit 2630c2e Mar 25, 2026
13 checks passed
@mandre mandre deleted the gha-fixes branch March 25, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@eshulman2 eshulman2 eshulman2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

semver:patch No API change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandre @eshulman2