Skip to content

Set up Zizmor #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mwolting merged 1 commit into from
May 12, 2026
Merged

Set up Zizmor #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions .github/workflows/auto-tag-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,18 @@ jobs:
contents: write
actions: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
ref: ${{ github.event.pull_request.merge_commit_sha }}
fetch-depth: 0
fetch-tags: true
persist-credentials: false

- name: Extract and validate version
id: version
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
BRANCH="${{ github.event.pull_request.head.ref }}"
VERSION="${BRANCH#release/}"

if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
Expand All @@ -48,12 +50,18 @@ jobs:
echo "version=$VERSION" >> "$GITHUB_OUTPUT"

- name: Create and push tag
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
run: |
git tag "v${{ steps.version.outputs.version }}"
git push origin "v${{ steps.version.outputs.version }}"
gh api --method POST "repos/${GITHUB_REPOSITORY}/git/refs" \
-f ref="refs/tags/v${VERSION}" \
-f sha="${MERGE_COMMIT_SHA}"
Comment on lines +53 to +60
Copy link
Copy Markdown
Collaborator

@axelniklasson axelniklasson May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a change we need to make to keep zizmor happy?

Copy link
Copy Markdown
Contributor Author

@mwolting mwolting May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for Zizmor’s template-injection audit. GitHub expands ${{ ... }} inside run: before the shell sees the script, so attacker-controlled values like PR branch names can break out of quoting and inject shell. Passing them through env and then using quoted shell variables like "${VERSION}" is the mitigation Zizmor expects.

Some of these are lower-risk because they’re validated/derived values, but keeping GitHub expressions out of shell run: blocks is the consistent pattern and avoids the Zizmor findings coming back.

which feels legit conceptually even if low practical risk for the specific setup here

Copy link
Copy Markdown
Contributor Author

@mwolting mwolting May 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah and the tagging change itself:

Zizmor wants actions/checkout to use persist-credentials: false; once we do that, git push origin ... no longer has checkout-provided credentials.

We could reintroduce credentials for Git manually, but using gh api keeps the token scoped to the specific command via GH_TOKEN and avoids writing credentials into the checkout/remote config. Functionally it’s equivalent here: the old git tag && git push created a lightweight tag ref, and the API call creates/moves that same Git ref directly.

So the gh change isn’t because Zizmor dislikes git tag; it’s the cleaner way to preserve the behavior after disabling persisted checkout credentials.


- name: Trigger release workflow
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ steps.version.outputs.version }}
run: |
gh workflow run release.yml --ref "v${{ steps.version.outputs.version }}"
gh workflow run release.yml --ref "v${VERSION}"
34 changes: 24 additions & 10 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,14 @@ on:
pull_request:
workflow_dispatch:

permissions: {}

jobs:
build:
name: Build executable for ${{ matrix.os }}-${{ matrix.arch }}
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
matrix:
include:
Expand All @@ -33,24 +37,27 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0 # Full history needed for git operations
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "22.22"
package-manager-cache: false

- name: Setup pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
with:
version: 10.22.0

- name: Setup Bun
uses: oven-sh/setup-bun@v2
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: latest
no-cache: true

- name: Install dependencies
run: pnpm install
Expand Down Expand Up @@ -99,7 +106,7 @@ jobs:
rm ./bin/linear-release.zip

- name: Upload artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: linear-release-${{ matrix.platform }}
path: bin/linear-release*
Expand All @@ -118,12 +125,13 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
persist-credentials: false

- name: Download all artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: ./artifacts

Expand Down Expand Up @@ -157,7 +165,7 @@ jobs:
ls -la ./release-files/

- name: Create Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
with:
tag_name: ${{ steps.tag.outputs.tag_name }}
name: Release ${{ steps.tag.outputs.tag_name }}
Expand All @@ -171,19 +179,25 @@ jobs:
label-release:
name: Label release with version
needs: release
permissions:
contents: read
uses: ./.github/workflows/run-linear-release.yml
with:
action: sync
name: Release ${{ needs.release.outputs.version_number }}
version: ${{ needs.release.outputs.tag_name }}
secrets: inherit
secrets:
LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}

complete-release:
name: Complete release
needs: [release, label-release]
permissions:
contents: read
uses: ./.github/workflows/run-linear-release.yml
with:
action: complete
name: Release ${{ needs.release.outputs.version_number }}
version: ${{ needs.release.outputs.tag_name }}
secrets: inherit
secrets:
LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
9 changes: 7 additions & 2 deletions .github/workflows/run-linear-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
description: "Release version"
required: false
type: string
secrets:
LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY:
required: true

workflow_dispatch:
inputs:
Expand Down Expand Up @@ -43,9 +46,10 @@ jobs:
if: inputs.action == 'sync'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
persist-credentials: false

- name: Download CLI
env:
Expand Down Expand Up @@ -73,9 +77,10 @@ jobs:
if: inputs.action == 'complete'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
persist-credentials: false

- name: Download CLI
env:
Expand Down
11 changes: 7 additions & 4 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,15 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- uses: actions/setup-node@v4
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "22"

- uses: pnpm/action-setup@v4
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
with:
version: 10.22.0

Expand All @@ -41,4 +43,5 @@ jobs:
uses: ./.github/workflows/run-linear-release.yml
with:
action: sync
secrets: inherit
secrets:
LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
32 changes: 32 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Static Analysis GH Actions (zizmor)

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]
merge_group:

permissions: {}

jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
timeout-minutes: 2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
with:
inputs: .github/
min-severity: medium
advanced-security: false
version: v1.24.1
Loading