Harden GitHub Actions workflows #377

ericcornelissen · 2024-11-23T10:53:10Z

Summary

Update all GitHub Actions workflows following an analysis by zizmor. In particular, this avoids persisting git credentials when the job does not need it (which I believe is all jobs).

Zizmor did have one more concern - overly permissive permissions: read-all - but this was not addressed because I think this is okay, the project is entirely open so I don't see a risk of an attacker reading anything.

Interestingly, this was already the case for the website.yml workflow since #173.

Update all GitHub Actions workflows following an analysis by zizmor (https://github.com/woodruffw/zizmor). In particular, this avoids persisting git credentials when the job does not need it (which I believe is all jobs). Zizmor did have one more concern - overly permissive `permissions: read-all` - but this was not addressed because I think this is okay, the project is entirely open so I don't see a risk of an attacker reading anything. Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>

ericcornelissen added ci/cd Relates to ci/cd security Relates to security labels Nov 23, 2024

ericcornelissen force-pushed the harden-ghaw branch from 754e9fe to 3e36bfe Compare November 24, 2024 21:01

ericcornelissen enabled auto-merge (rebase) November 24, 2024 21:01

ericcornelissen merged commit c4594c3 into main Nov 24, 2024
19 checks passed

ericcornelissen deleted the harden-ghaw branch November 24, 2024 21:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Harden GitHub Actions workflows #377

Harden GitHub Actions workflows #377

ericcornelissen commented Nov 23, 2024

Harden GitHub Actions workflows #377

Harden GitHub Actions workflows #377

Conversation

ericcornelissen commented Nov 23, 2024

Summary