Set up Zizmor#70
Conversation
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| VERSION: ${{ steps.version.outputs.version }} | ||
| MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }} | ||
| run: | | ||
| git tag "v${{ steps.version.outputs.version }}" | ||
| git push origin "v${{ steps.version.outputs.version }}" | ||
| gh api --method POST "repos/${GITHUB_REPOSITORY}/git/refs" \ | ||
| -f ref="refs/tags/v${VERSION}" \ | ||
| -f sha="${MERGE_COMMIT_SHA}" |
There was a problem hiding this comment.
Is this a change we need to make to keep zizmor happy?
There was a problem hiding this comment.
This is for Zizmor’s template-injection audit. GitHub expands ${{ ... }} inside run: before the shell sees the script, so attacker-controlled values like PR branch names can break out of quoting and inject shell. Passing them through env and then using quoted shell variables like "${VERSION}" is the mitigation Zizmor expects.
Some of these are lower-risk because they’re validated/derived values, but keeping GitHub expressions out of shell run: blocks is the consistent pattern and avoids the Zizmor findings coming back.
which feels legit conceptually even if low practical risk for the specific setup here
There was a problem hiding this comment.
Ah and the tagging change itself:
Zizmor wants actions/checkout to use
persist-credentials: false; once we do that,git push origin ...no longer has checkout-provided credentials.We could reintroduce credentials for Git manually, but using
gh apikeeps the token scoped to the specific command via GH_TOKEN and avoids writing credentials into the checkout/remote config. Functionally it’s equivalent here: the oldgit tag && git pushcreated a lightweight tag ref, and the API call creates/moves that same Git ref directly.So the gh change isn’t because Zizmor dislikes git tag; it’s the cleaner way to preserve the behavior after disabling persisted checkout credentials.
3 participants
Towards LIN-70000