Skip to content

fix: harden GitHub Actions workflows#57

Merged
Bradley Farias (bmeck) merged 2 commits intomasterfrom
fix/zizmor-workflow-security
Mar 25, 2026
Merged

fix: harden GitHub Actions workflows#57
Bradley Farias (bmeck) merged 2 commits intomasterfrom
fix/zizmor-workflow-security

Conversation

@reberhardt7
Copy link
Copy Markdown
Contributor

@reberhardt7 Ryan Eberhardt (reberhardt7) commented Mar 25, 2026
edited
Loading

Summary

  • Fix template injection: Replace direct ${{ github.ref }} interpolation in run: blocks with an environment variable to prevent script injection attacks
  • Pin actions to SHAs: Pin actions/checkout, actions/setup-node, HaaLeo/publish-vscode-extension, and softprops/action-gh-release to full-length commit SHAs instead of mutable tags
  • Add permissions: Add explicit permissions: contents: write to the publish workflow and persist-credentials: false to the checkout step
  • Add zizmor config: Add .github/zizmor.yml configuration file for the zizmor GitHub Actions security linter

@reberhardt7 @claude
fix: harden GitHub Actions workflows (zizmor)
e1a8786 
- Fix template injection vulnerability by using environment variables
  instead of direct interpolation of github.ref
- Pin all third-party actions to full-length commit SHAs
- Add explicit permissions (contents: write) to publish workflow
- Add persist-credentials: false to checkout step
- Add zizmor.yml configuration file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented Mar 25, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub/​actions/​checkout@​f43a0e5ff2bd294095638e18286ca9a3d1956744 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd92100100100100
Updatedgithub/​actions/​setup-node@​3235b876344d2a9aa001b8d1453c930bba69e610 ⏵ 49933ea5288caeca8642d1e84afbd3f7d682002099 +110010010080 +21
Updatedgithub/​softprops/​action-gh-release@​26994186c0ac3ef5cae75ac16aa32e8153525f77 ⏵ de2c0eb89ae2a093876385947365aca7b0e5f84499 +14100100100100
Updatedgithub/​haaleo/​publish-vscode-extension@​ddfa605606270abb79040fc684324cae53a3b1b0 ⏵ f4ece70f329f66686bd71c54b1671353fe320e49100100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 25, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub/​actions/​setup-node@​3235b876344d2a9aa001b8d1453c930bba69e610 ⏵ 49933ea5288caeca8642d1e84afbd3f7d68200209910010010080 +21
Updatedgithub/​softprops/​action-gh-release@​26994186c0ac3ef5cae75ac16aa32e8153525f77 ⏵ de2c0eb89ae2a093876385947365aca7b0e5f84499100100100100
Updatedgithub/​actions/​checkout@​f43a0e5ff2bd294095638e18286ca9a3d1956744 ⏵ de0fac2e4500dabe0009e67214ff5f5447ce83dd100100100100100
Updatedgithub/​haaleo/​publish-vscode-extension@​ddfa605606270abb79040fc684324cae53a3b1b0 ⏵ f4ece70f329f66686bd71c54b1671353fe320e49100100100100100

View full report

@reberhardt7 @claude
fix: update actions to latest versions and suppress false positive zi…
5a56c2f 
…zmor finding

Update actions/checkout to v6.0.2 and actions/setup-node to v4.4.0
with pinned SHAs. Suppress false positive cache-poisoning finding for
setup-node in publish.yml (caching is not enabled without explicit
cache: config).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@reberhardt7 Ryan Eberhardt (reberhardt7) changed the title fix: harden GitHub Actions workflows (zizmor) fix: harden GitHub Actions workflows Mar 25, 2026
@bmeck Bradley Farias (bmeck) merged commit 4410475 into master Mar 25, 2026
10 checks passed
@bmeck Bradley Farias (bmeck) deleted the fix/zizmor-workflow-security branch March 25, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmeck Bradley Farias (bmeck) bmeck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reberhardt7 @bmeck