Skip to content

fix: resolve zizmor pedantic findings#710

Closed
trevor-vaughan wants to merge 1 commit into
mainfrom
fix/708-zizmor
Closed

fix: resolve zizmor pedantic findings#710
trevor-vaughan wants to merge 1 commit into
mainfrom
fix/708-zizmor

Conversation

@trevor-vaughan

@trevor-vaughan trevor-vaughan commented Jul 9, 2026

Copy link
Copy Markdown
Member
  • Harden ci_dependencies.yml against template injection: move PR number
    and repository to env vars, sanitize dep name/version with tr, validate
    comment ID as integer, pass jq marker via --arg
  • Add persist-credentials: false to release.yml preflight checkout with
    a separate git credential step to keep tokens out of artifacts
  • Scope pull-requests: write in ci_crapload.yml to the post-comment job
    only (was workflow-level)
  • Replace peter-evans/create-or-update-comment with gh CLI in
    ci_dependencies.yml to drop a third-party action
  • Document every permissions entry with inline comments across all 13
    workflow files (22 previously undocumented)
  • Add concurrency groups to 10 workflows; disable cancel-in-progress for
    behavioral_assessment (SARIF uploads), ci_sonarcloud (coverage pipeline),
    and ci_dependencies (auto-merge protection)
  • Name 5 anonymous jobs: Buf Lint, Unit Tests, End-to-End Tests,
    Integration Tests, Behavioral Assessment
  • Update REQUIRED_CHECKS in release.yml to match new job name: values
    (Unit Tests, End-to-End Tests, Integration Tests); old job-key strings
    would have blocked every release
  • Grant contents: read to ci_sonarcloud generate-coverage job, which
    inherited contents: none from the workflow level and could not check
    out code

zizmor --pedantic now reports zero findings across all 13 workflows.

Fixes: #705

Assisted-by: Claude Sonnet 4.6
Signed-off-by: Trevor Vaughan tvaughan@redhat.com

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

CRAP Load Analysis

No Go code changes detected in this PR. No CRAP impact.

- Harden ci_dependencies.yml against template injection: move PR number
  and repository to env vars, sanitize dep name/version with tr, validate
  comment ID as integer, pass jq marker via --arg
- Add persist-credentials: false to release.yml preflight checkout with
  a separate git credential step to keep tokens out of artifacts
- Scope pull-requests: write in ci_crapload.yml to the post-comment job
  only (was workflow-level)
- Replace peter-evans/create-or-update-comment with gh CLI in
  ci_dependencies.yml to drop a third-party action
- Document every permissions entry with inline comments across all 13
  workflow files (22 previously undocumented)
- Add concurrency groups to 10 workflows; disable cancel-in-progress for
  behavioral_assessment (SARIF uploads), ci_sonarcloud (coverage pipeline),
  and ci_dependencies (auto-merge protection)
- Name 5 anonymous jobs: Buf Lint, Unit Tests, End-to-End Tests,
  Integration Tests, Behavioral Assessment
- Update REQUIRED_CHECKS in release.yml to match new job name: values
  (Unit Tests, End-to-End Tests, Integration Tests); old job-key strings
  would have blocked every release
- Grant contents: read to ci_sonarcloud generate-coverage job, which
  inherited contents: none from the workflow level and could not check
  out code

zizmor --pedantic now reports zero findings across all 13 workflows.

Fixes: #708

Assisted-by: Claude Sonnet 4.6
Signed-off-by: Trevor Vaughan <tvaughan@redhat.com>
@trevor-vaughan trevor-vaughan marked this pull request as ready for review July 9, 2026 22:07
@trevor-vaughan trevor-vaughan requested a review from a team as a code owner July 9, 2026 22:07

@marcusburghardt marcusburghardt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scope and Process Concerns

The zizmor hardening techniques in this PR are technically sound, but the PR modifies files that belong to different repositories and different work streams, which creates process issues that need to be resolved before merge.

1. Synchronized consumer workflows must be changed in org-infra first

7 of the 14 changed files are org-infra synchronized consumer workflows (ci_checks, ci_compliance, ci_crapload, ci_dependencies, ci_scheduled, ci_security, ci_sonarcloud). These files are copies of org-infra's canonical versions.

The constitution states:

"Changes to shared infrastructure MUST be proposed in org-infra first."

Modifying them here creates drift with org-infra and all other consuming repositories. The correct flow is: propose changes in org-infra → merge → sync to all repos.

2. release.yml is superseded by #699

org-infra PR #394 (reusable release preflight + GoReleaser workflows) merged on 2026-07-07. Every hardening pattern in this PR's release.yml changes (persist-credentials: false, credential injection, permission docs) already exists in the reusable workflows. Additionally, the reusable workflows solve known bugs (#654, #655) that this PR does not address.

Issue #699 is the tracked work item for adopting those reusable workflows. Changes to the local release.yml should go through that adoption path, not through incremental patching.

3. peter-evans/create-or-update-comment replacement needs its own discussion

Replacing a third-party action with inline shell is an opinionated architectural decision that deserves focused review on its own merits, not bundled into a zizmor remediation PR. See the inline comment for the detailed risk assessment.

4. PR description inaccuracies

  • "Name 5 anonymous jobs" — only 2 are newly named (Buf Lint, Behavioral Assessment). The unit-test, e2e-test, and integration-test jobs intentionally do not receive name: overrides.
  • "Update REQUIRED_CHECKS in release.yml" — the array is identical in both the PR branch and main.
  • "Fixes: #708" — #708 is PR #708 (emoji status indicators), not an issue about zizmor findings.

What can proceed in complyctl

The 5 repo-specific workflow changes (behavioral_assessment, ci_cross_repo_integration, e2e_test, integration_test, unit_test) are legitimate and can be submitted as a focused PR against complyctl.

Suggested split

Scope Where
Consumer workflow hardening (concurrency, permission docs, scoping) PR against org-infra, then sync
peter-evans replacement discussion Dedicated PR against org-infra
release.yml hardening Adopt reusable release workflows via #699
Repo-specific workflows (concurrency, permission docs, job naming) PR against complyctl (5 files only)
Makefile -mod=vendor Separate commit (unrelated to zizmor)

This review was generated by /review-pr (AI-assisted).

group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is synchronized from org-infra. On main, it is a copy of org-infra/.github/workflows/ci_checks.yml. The same applies to ci_compliance, ci_crapload, ci_dependencies, ci_scheduled, ci_security, and ci_sonarcloud.

These changes (concurrency groups, permission comments) should be proposed in org-infra first, then synced to all consuming repositories. Modifying them here creates drift that the next sync will overwrite or conflict with.

env:
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
PR_NUMBER: "${{ github.event.pull_request.number }}"
GH_REPO: "${{ github.repository }}"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This replacement was not triggered by a zizmor finding. The action is used in a with: context (not run:), so template-injection does not apply. The action is correctly SHA-pinned, so unpinned-uses does not apply either.

Risk assessment of the existing dependency:

  • 926 stars, 158 forks, actively maintained (last push: 2026-07-01)
  • 0 known CVEs, 0 security advisories
  • 2 runtime dependencies, both GitHub-owned (@actions/core, @actions/github)
  • SHA pin e8674b07... verified to match v5.0.0 tag exactly
  • Even if compromised, job permissions limit it to issues: read + pull-requests: write (cannot access secrets, contents, or other scopes)

Cost of replacing it:

  • Step grows from 31 to 78 lines (2.5x)
  • Introduces new maintenance surface: marker-based comment lookup, comment ID integer validation, tr -cd input sanitization, conditional display logic — all now owned by org-infra
  • The action handled edge cases (body truncation at 65,536 chars, API error messages) that the replacement does not replicate
  • with: inputs are evaluated by GitHub's expression engine, not a shell, so the sanitization the replacement adds (tr -cd) solves a problem that didn't exist in the original

If there is a policy decision to minimize third-party actions regardless of risk profile, that's valid — but it should be discussed in a dedicated PR where reviewers can focus on the tradeoff rather than having it bundled with 13 other file changes.


- name: Configure git credentials
# Explicitly inject the GITHUB_TOKEN into the remote URL so that
# git push and git ls-remote can authenticate without storing the

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

org-infra's reusable release workflows (reusable_release_preflight.yml line 86, reusable_release_goreleaser.yml line 51) already use persist-credentials: false. The consumer release.yml in org-infra itself also uses it (line 61) with a git config --local url...insteadOf credential pattern.

Issue #699 tracks adopting these reusable workflows, and the blocking dependency (org-infra PR #394) merged on 2026-07-07. These local release.yml changes will be superseded by #699 adoption.

@trevor-vaughan

Copy link
Copy Markdown
Member Author

Closing this PR in favor of complytime/org-infra#415 and complytime/org-infra#256

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: zizmor GitHub Actions linter reports 35 errors on main

2 participants