Skip to content

Commit 1d25252

Browse files
brunoborgesCopilotCopilot
authored
chore: Harden workflows: least-privilege permissions + zizmor integration (#1039)
* Harden workflows with least-privilege permissions and zizmor Apply GitHub Actions security best practices to the action's own workflows and integrate zizmor to catch regressions. - Add explicit least-privilege `permissions:` to every workflow (contents: read for read-only workflows; default-deny `{}` with job-scoped grants for codeql, publish-immutable-actions and update-config-files). - Set `persist-credentials: false` on all checkout steps that don't need the GITHUB_TOKEN afterwards. - Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars to avoid template injection. - Pin the alpine container image (alpine:latest -> alpine:3.21). - Add a zizmor CI workflow that uploads SARIF to code scanning, plus a `.github/zizmor.yml` pinning policy (ref-pin for actions/* and github/*, hash-pin for third-party actions). zizmor now reports no findings (offline and online). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix indentation of if: in zizmor SARIF upload step The `if:` key on the "Upload SARIF results to code scanning" step had no indentation, producing invalid YAML ("Nested mappings are not allowed in compact mappings"). This broke `npm run format-check` (prettier) in Basic validation. Indent `if:` to 8 spaces so it nests under the step alongside uses/with. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
1 parent 668c1ea commit 1d25252

13 files changed

Lines changed: 215 additions & 19 deletions

.github/workflows/basic-validation.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
paths-ignore:
1212
- '**.md'
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
call-basic-validation:
1619
name: Basic validation

.github/workflows/check-dist.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
- '**.md'
1212
workflow_dispatch:
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
call-check-dist:
1619
name: Check dist/

.github/workflows/codeql-analysis.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ on:
88
schedule:
99
- cron: '0 3 * * 0'
1010

11+
permissions: {}
12+
1113
jobs:
1214
call-codeQL-analysis:
1315
permissions:

.github/workflows/e2e-cache-dependency-path.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
paths-ignore:
1212
- '**.md'
1313

14+
permissions:
15+
contents: read
16+
1417
defaults:
1518
run:
1619
shell: bash
@@ -25,6 +28,8 @@ jobs:
2528
steps:
2629
- name: Checkout
2730
uses: actions/checkout@v7
31+
with:
32+
persist-credentials: false
2833
- name: Run setup-java with the cache for gradle
2934
uses: ./
3035
id: setup-java
@@ -52,6 +57,8 @@ jobs:
5257
steps:
5358
- name: Checkout
5459
uses: actions/checkout@v7
60+
with:
61+
persist-credentials: false
5562
- name: Run setup-java with the cache for gradle
5663
uses: ./
5764
id: setup-java
@@ -77,6 +84,8 @@ jobs:
7784
steps:
7885
- name: Checkout
7986
uses: actions/checkout@v7
87+
with:
88+
persist-credentials: false
8089
- name: Run setup-java with the cache for gradle
8190
uses: ./
8291
id: setup-java

.github/workflows/e2e-cache.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
paths-ignore:
1212
- '**.md'
1313

14+
permissions:
15+
contents: read
16+
1417
defaults:
1518
run:
1619
shell: bash
@@ -25,6 +28,8 @@ jobs:
2528
steps:
2629
- name: Checkout
2730
uses: actions/checkout@v7
31+
with:
32+
persist-credentials: false
2833
- name: Run setup-java with the cache for gradle
2934
uses: ./
3035
id: setup-java
@@ -51,6 +56,8 @@ jobs:
5156
steps:
5257
- name: Checkout
5358
uses: actions/checkout@v7
59+
with:
60+
persist-credentials: false
5461
- name: Run setup-java with the cache for gradle
5562
uses: ./
5663
id: setup-java
@@ -74,6 +81,8 @@ jobs:
7481
steps:
7582
- name: Checkout
7683
uses: actions/checkout@v7
84+
with:
85+
persist-credentials: false
7786
- name: Run setup-java with the cache for maven
7887
uses: ./
7988
id: setup-java
@@ -98,6 +107,8 @@ jobs:
98107
steps:
99108
- name: Checkout
100109
uses: actions/checkout@v7
110+
with:
111+
persist-credentials: false
101112
- name: Run setup-java with the cache for maven
102113
uses: ./
103114
id: setup-java
@@ -125,6 +136,8 @@ jobs:
125136
steps:
126137
- name: Checkout
127138
uses: actions/checkout@v7
139+
with:
140+
persist-credentials: false
128141
- name: Run setup-java with the cache for sbt
129142
uses: ./
130143
id: setup-java
@@ -175,6 +188,8 @@ jobs:
175188
steps:
176189
- name: Checkout
177190
uses: actions/checkout@v7
191+
with:
192+
persist-credentials: false
178193
- name: Run setup-java with the cache for sbt
179194
uses: ./
180195
id: setup-java

.github/workflows/e2e-local-file.yml

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
paths-ignore:
1212
- '**.md'
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
setup-java-local-file-adopt:
1619
name: Validate installation from local file Adopt
@@ -22,6 +25,8 @@ jobs:
2225
steps:
2326
- name: Checkout
2427
uses: actions/checkout@v7
28+
with:
29+
persist-credentials: false
2530
- name: Download Adopt OpenJDK file
2631
run: |
2732
if ($IsLinux) {
@@ -46,7 +51,9 @@ jobs:
4651
java-version: '11.0.0-ea'
4752
architecture: x64
4853
- name: Verify Java version
49-
run: bash __tests__/verify-java.sh "11.0.10" "${{ steps.setup-java.outputs.path }}"
54+
env:
55+
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
56+
run: bash __tests__/verify-java.sh "11.0.10" "$JAVA_PATH"
5057
shell: bash
5158

5259
setup-java-local-file-zulu:
@@ -59,6 +66,8 @@ jobs:
5966
steps:
6067
- name: Checkout
6168
uses: actions/checkout@v7
69+
with:
70+
persist-credentials: false
6271
- name: Download Zulu OpenJDK file
6372
run: |
6473
if ($IsLinux) {
@@ -83,7 +92,9 @@ jobs:
8392
java-version: '11.0.0-ea'
8493
architecture: x64
8594
- name: Verify Java version
86-
run: bash __tests__/verify-java.sh "11.0" "${{ steps.setup-java.outputs.path }}"
95+
env:
96+
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
97+
run: bash __tests__/verify-java.sh "11.0" "$JAVA_PATH"
8798
shell: bash
8899

89100
setup-java-local-file-temurin:
@@ -96,6 +107,8 @@ jobs:
96107
steps:
97108
- name: Checkout
98109
uses: actions/checkout@v7
110+
with:
111+
persist-credentials: false
99112
- name: Download Eclipse Temurin file
100113
run: |
101114
if ($IsLinux) {
@@ -120,5 +133,7 @@ jobs:
120133
java-version: '11.0.0-ea'
121134
architecture: x64
122135
- name: Verify Java version
123-
run: bash __tests__/verify-java.sh "11.0.12" "${{ steps.setup-java.outputs.path }}"
136+
env:
137+
JAVA_PATH: ${{ steps.setup-java.outputs.path }}
138+
run: bash __tests__/verify-java.sh "11.0.12" "$JAVA_PATH"
124139
shell: bash

.github/workflows/e2e-publishing.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
paths-ignore:
1212
- '**.md'
1313

14+
permissions:
15+
contents: read
16+
1417
defaults:
1518
run:
1619
shell: pwsh
@@ -26,6 +29,8 @@ jobs:
2629
steps:
2730
- name: Checkout
2831
uses: actions/checkout@v7
32+
with:
33+
persist-credentials: false
2934
- name: setup-java
3035
uses: ./
3136
id: setup-java
@@ -61,6 +66,8 @@ jobs:
6166
steps:
6267
- name: Checkout
6368
uses: actions/checkout@v7
69+
with:
70+
persist-credentials: false
6471
- name: Create fake settings.xml
6572
run: |
6673
$xmlDirectory = Join-Path $HOME ".m2"
@@ -97,6 +104,8 @@ jobs:
97104
steps:
98105
- name: Checkout
99106
uses: actions/checkout@v7
107+
with:
108+
persist-credentials: false
100109
- name: Create fake settings.xml
101110
run: |
102111
$xmlDirectory = Join-Path $HOME ".m2"
@@ -134,6 +143,8 @@ jobs:
134143
steps:
135144
- name: Checkout
136145
uses: actions/checkout@v7
146+
with:
147+
persist-credentials: false
137148
- name: setup-java
138149
uses: ./
139150
id: setup-java

0 commit comments

Comments
 (0)