fix: resolve zizmor pedantic findings#710
Conversation
CRAP Load AnalysisNo Go code changes detected in this PR. No CRAP impact. |
8f23a51 to
85bc193
Compare
- Harden ci_dependencies.yml against template injection: move PR number and repository to env vars, sanitize dep name/version with tr, validate comment ID as integer, pass jq marker via --arg - Add persist-credentials: false to release.yml preflight checkout with a separate git credential step to keep tokens out of artifacts - Scope pull-requests: write in ci_crapload.yml to the post-comment job only (was workflow-level) - Replace peter-evans/create-or-update-comment with gh CLI in ci_dependencies.yml to drop a third-party action - Document every permissions entry with inline comments across all 13 workflow files (22 previously undocumented) - Add concurrency groups to 10 workflows; disable cancel-in-progress for behavioral_assessment (SARIF uploads), ci_sonarcloud (coverage pipeline), and ci_dependencies (auto-merge protection) - Name 5 anonymous jobs: Buf Lint, Unit Tests, End-to-End Tests, Integration Tests, Behavioral Assessment - Update REQUIRED_CHECKS in release.yml to match new job name: values (Unit Tests, End-to-End Tests, Integration Tests); old job-key strings would have blocked every release - Grant contents: read to ci_sonarcloud generate-coverage job, which inherited contents: none from the workflow level and could not check out code zizmor --pedantic now reports zero findings across all 13 workflows. Fixes: #708 Assisted-by: Claude Sonnet 4.6 Signed-off-by: Trevor Vaughan <tvaughan@redhat.com>
85bc193 to
1dc1148
Compare
marcusburghardt
left a comment
There was a problem hiding this comment.
Scope and Process Concerns
The zizmor hardening techniques in this PR are technically sound, but the PR modifies files that belong to different repositories and different work streams, which creates process issues that need to be resolved before merge.
1. Synchronized consumer workflows must be changed in org-infra first
7 of the 14 changed files are org-infra synchronized consumer workflows (ci_checks, ci_compliance, ci_crapload, ci_dependencies, ci_scheduled, ci_security, ci_sonarcloud). These files are copies of org-infra's canonical versions.
The constitution states:
"Changes to shared infrastructure MUST be proposed in org-infra first."
Modifying them here creates drift with org-infra and all other consuming repositories. The correct flow is: propose changes in org-infra → merge → sync to all repos.
2. release.yml is superseded by #699
org-infra PR #394 (reusable release preflight + GoReleaser workflows) merged on 2026-07-07. Every hardening pattern in this PR's release.yml changes (persist-credentials: false, credential injection, permission docs) already exists in the reusable workflows. Additionally, the reusable workflows solve known bugs (#654, #655) that this PR does not address.
Issue #699 is the tracked work item for adopting those reusable workflows. Changes to the local release.yml should go through that adoption path, not through incremental patching.
3. peter-evans/create-or-update-comment replacement needs its own discussion
Replacing a third-party action with inline shell is an opinionated architectural decision that deserves focused review on its own merits, not bundled into a zizmor remediation PR. See the inline comment for the detailed risk assessment.
4. PR description inaccuracies
- "Name 5 anonymous jobs" — only 2 are newly named (
Buf Lint,Behavioral Assessment). The unit-test, e2e-test, and integration-test jobs intentionally do not receivename:overrides. - "Update REQUIRED_CHECKS in release.yml" — the array is identical in both the PR branch and main.
- "Fixes: #708" — #708 is PR #708 (emoji status indicators), not an issue about zizmor findings.
What can proceed in complyctl
The 5 repo-specific workflow changes (behavioral_assessment, ci_cross_repo_integration, e2e_test, integration_test, unit_test) are legitimate and can be submitted as a focused PR against complyctl.
Suggested split
| Scope | Where |
|---|---|
| Consumer workflow hardening (concurrency, permission docs, scoping) | PR against org-infra, then sync |
| peter-evans replacement discussion | Dedicated PR against org-infra |
| release.yml hardening | Adopt reusable release workflows via #699 |
| Repo-specific workflows (concurrency, permission docs, job naming) | PR against complyctl (5 files only) |
Makefile -mod=vendor |
Separate commit (unrelated to zizmor) |
This review was generated by /review-pr (AI-assisted).
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| permissions: |
There was a problem hiding this comment.
This file is synchronized from org-infra. On main, it is a copy of org-infra/.github/workflows/ci_checks.yml. The same applies to ci_compliance, ci_crapload, ci_dependencies, ci_scheduled, ci_security, and ci_sonarcloud.
These changes (concurrency groups, permission comments) should be proposed in org-infra first, then synced to all consuming repositories. Modifying them here creates drift that the next sync will overwrite or conflict with.
| env: | ||
| GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| PR_NUMBER: "${{ github.event.pull_request.number }}" | ||
| GH_REPO: "${{ github.repository }}" |
There was a problem hiding this comment.
This replacement was not triggered by a zizmor finding. The action is used in a with: context (not run:), so template-injection does not apply. The action is correctly SHA-pinned, so unpinned-uses does not apply either.
Risk assessment of the existing dependency:
- 926 stars, 158 forks, actively maintained (last push: 2026-07-01)
- 0 known CVEs, 0 security advisories
- 2 runtime dependencies, both GitHub-owned (
@actions/core,@actions/github) - SHA pin
e8674b07...verified to match v5.0.0 tag exactly - Even if compromised, job permissions limit it to
issues: read+pull-requests: write(cannot access secrets, contents, or other scopes)
Cost of replacing it:
- Step grows from 31 to 78 lines (2.5x)
- Introduces new maintenance surface: marker-based comment lookup, comment ID integer validation,
tr -cdinput sanitization, conditional display logic — all now owned by org-infra - The action handled edge cases (body truncation at 65,536 chars, API error messages) that the replacement does not replicate
with:inputs are evaluated by GitHub's expression engine, not a shell, so the sanitization the replacement adds (tr -cd) solves a problem that didn't exist in the original
If there is a policy decision to minimize third-party actions regardless of risk profile, that's valid — but it should be discussed in a dedicated PR where reviewers can focus on the tradeoff rather than having it bundled with 13 other file changes.
|
|
||
| - name: Configure git credentials | ||
| # Explicitly inject the GITHUB_TOKEN into the remote URL so that | ||
| # git push and git ls-remote can authenticate without storing the |
There was a problem hiding this comment.
org-infra's reusable release workflows (reusable_release_preflight.yml line 86, reusable_release_goreleaser.yml line 51) already use persist-credentials: false. The consumer release.yml in org-infra itself also uses it (line 61) with a git config --local url...insteadOf credential pattern.
Issue #699 tracks adopting these reusable workflows, and the blocking dependency (org-infra PR #394) merged on 2026-07-07. These local release.yml changes will be superseded by #699 adoption.
|
Closing this PR in favor of complytime/org-infra#415 and complytime/org-infra#256 |
and repository to env vars, sanitize dep name/version with tr, validate
comment ID as integer, pass jq marker via --arg
a separate git credential step to keep tokens out of artifacts
only (was workflow-level)
ci_dependencies.yml to drop a third-party action
workflow files (22 previously undocumented)
behavioral_assessment (SARIF uploads), ci_sonarcloud (coverage pipeline),
and ci_dependencies (auto-merge protection)
Integration Tests, Behavioral Assessment
(Unit Tests, End-to-End Tests, Integration Tests); old job-key strings
would have blocked every release
inherited contents: none from the workflow level and could not check
out code
zizmor --pedantic now reports zero findings across all 13 workflows.
Fixes: #705
Assisted-by: Claude Sonnet 4.6
Signed-off-by: Trevor Vaughan tvaughan@redhat.com