Open
Conversation
Run zizmor --fix=all to auto-fix security findings:
- Add persist-credentials: false to all actions/checkout steps (artipacked)
- Replace ${{ }} in run: blocks with shell env vars (template-injection)
- Disable setup-go cache on schedule-triggered workflow (cache-poisoning)
Add zizmor workflow that runs on pushes to main and PRs, uploading SARIF results to GitHub Advanced Security.
Scope permissions to job level instead of workflow level: - Move checks: write from workflow level to linting job in ci.yaml - Add permissions: contents: read to goclean.yml - Add permissions: contents: read to kind-e2e.yaml jobs
tekton-robot
added
the
size/M
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Member
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jkhelil The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Run zizmor v1.23.1, a static analysis tool for GitHub Actions, to identify and fix security issues in this repository's workflows, and add it as a CI check.
Fixes #1599
Commit 1: Auto-fix findings (
zizmor --fix=all)persist-credentials: falseon allactions/checkoutsteps to prevent credential leakage via artifacts(artipacked)
${{ }}expressions out ofrun:blocks intoenv:mappings to prevent template injection(template-injection)
setup-goingoclean.ymlsince it runs on a schedule trigger(cache-poisoning)
Commit 2: Add zizmor CI workflow
.github/workflows/zizmor.yamlruns on pushes to main and PRsCommit 3: Manually fix remaining findings
checks: writefrom workflow-level to thelintingjob inci.yaml— only job that needs it for golangci-lint annotations(excessive-permissions)
permissions: contents: readtogoclean.ymland both jobs inkind-e2e.yaml(excessive-permissions)
Findings summary:
Remaining findings (require follow-up issues):
secrets-inheritchatops_retest.yaml,slash.ymltektoncd/plumbingreusable workflows — needs cross-repo coordinationsecrets-outside-envgo-coverage.yml/kind cleanup
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes