Skip to content

CI: Adopt reusable workflows, fix zizmor findings#169

Merged
tykeal merged 1 commit into
lfreleng-actions:mainfrom
modeseven-lfreleng-actions:fix/security-findings-zizmor
Jun 30, 2026
Merged

CI: Adopt reusable workflows, fix zizmor findings#169
tykeal merged 1 commit into
lfreleng-actions:mainfrom
modeseven-lfreleng-actions:fix/security-findings-zizmor

Conversation

@ModeSevenIndustrialSolutions

Copy link
Copy Markdown
Collaborator

Summary

Migrates the build/test and release pipelines to the reusable multi-arch
Python workflows from
lfreleng-actions/python-workflows
(pinned to the v0.1.1 release commit 4f48e1c), and clears the
outstanding zizmor security findings reported against the repository.

Workflow migration

  • build-test.yaml → thin caller of
    build-test-multiarch.yaml.
  • build-test-release.yaml → thin caller of
    build-test-release-multiarch.yaml, with the test-pypi / pypi
    publish jobs kept in this repository (publishing credentials are
    repository-scoped). The reusable release job builds, tests, audits,
    scans, attaches artefacts and promotes the draft release; the publish
    jobs upload the run-scoped dist-* artefacts it produces.
  • Native NSS/NSPR prerequisites are supplied through the committed
    .github/scripts/setup-nss.sh, consumed via the reusable workflow's
    setup_script input (plus make / make_args for the source build).
    This matches the canonical wiring used by
    python-workflows/.github/workflows/testing.yaml.
  • Existing token-based publishing (TEST_PYPI_CREDENTIAL /
    PYPI_CREDENTIAL) and the development / production environments
    are preserved — no PyPI trusted-publisher reconfiguration required.

Net change: +102 / −1721 lines.

Security findings (zizmor)

Severity Audit Location Resolution
High excessive-permissions build-test.yaml (actions: write) Removed with the inline cache-clear logic
High unpinned-images compatibility.yaml (fedora:44) Documented inline suppression (see below)
Medium artipacked inline checkouts across build-test*.yaml Removed with the inline pipelines
Medium artipacked advanced-tests.yaml (×6), compatibility.yaml (×2) Added persist-credentials: false

The default-persona zizmor scan (the persona the GitHub code-scanning
upload uses) now reports no findings.

On fedora:44: the container is intentionally tracked by tag (not a
frozen digest) so it keeps receiving Fedora's security rebuilds and
stays aligned with the downstream Sigul signing consumer
(FROM fedora:44). Because this is a CI test container — not a release
or runtime artefact — the unpinned-images finding is suppressed inline
with # zizmor: ignore[unpinned-images] and a documented rationale,
rather than pinned to a digest (which would freeze the security
rebuilds out). The previous comment claiming a tag pin satisfies the
audit was incorrect and has been corrected.

CodeQL default-setup conflict (resolved out-of-band)

This repo has a custom (advanced) CodeQL workflow (codeql.yml,
via reuse-python-codeql.yaml) and GitHub's CodeQL default
setup
was also configured — the two conflict, which is what caused
the SARIF upload failures in code scanning. The default setup has been
disabled (state: not-configured) so the advanced workflow now owns
code scanning. No file change is involved; this is a repository setting.

Validation

  • zizmor (default + auditor personas) — default persona clean.
  • prek run (yamllint, actionlint, reuse lint, codespell, workflow
    validators) — all pass.
  • Commit is SSH-signed and carries a DCO sign-off.

Note: actionlint emits a known false-positive about the
ubuntu-24.04-arm runner label in compatibility.yaml (a valid
GitHub-hosted arm64 runner); this is pre-existing and untouched here.

Replace the large inline build/test and release pipelines with thin
callers of the reusable multi-arch Python workflows from
lfreleng-actions/python-workflows, pinned to the v0.1.1 release commit.
The reusable workflows reproduce the canonical pipeline (metadata,
build, tests, audit, SBOM and Grype scan, fanned across the x64 + arm64
matrix); native NSS/NSPR prerequisites are supplied through the
committed setup script (.github/scripts/setup-nss.sh) consumed via the
reusable workflow's setup_script input. PyPI publishing stays in this
repository so the existing token credentials remain scoped here.

This collapses hundreds of lines of duplicated pipeline YAML and clears
the zizmor security findings reported against the repository:

  * High excessive-permissions: the workflow-level "actions: write"
    in build-test.yaml is gone with the inline cache-clear logic.
  * Medium artipacked (credential persistence): the inline checkouts
    that carried persisted credentials have been removed.

The remaining workflows are brought into line with the clean template:

  * compatibility.yaml: add "persist-credentials: false" to both
    checkouts. The fedora:44 CI container is intentionally tracked by
    tag (not a frozen digest) so it keeps receiving Fedora security
    rebuilds and stays aligned with the downstream Sigul consumer, so
    the High unpinned-images finding is suppressed inline with a
    documented rationale rather than pinned to a digest.
  * advanced-tests.yaml: add "persist-credentials: false" to all six
    checkout steps.

The default-persona zizmor scan (the persona the GitHub code-scanning
upload uses) now reports no findings.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the repository’s build/test and tag-release GitHub Actions pipelines to thin “caller” workflows that delegate the heavy lifting to pinned reusable multi-arch workflows in lfreleng-actions/python-workflows (v0.1.1), while also addressing outstanding zizmor security findings in existing workflows.

Changes:

  • Replaced the in-repo build/test and build/test/release workflow logic with calls to reusable multi-arch workflows (pinned by commit SHA).
  • Added persist-credentials: false to actions/checkout in multiple workflows to address zizmor artipacked findings.
  • Documented and intentionally suppressed zizmor unpinned-images for the fedora:44 CI container with rationale.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/compatibility.yaml Documents fedora:44 tag-tracking rationale + suppresses unpinned-images; adds persist-credentials: false to checkouts.
.github/workflows/build-test.yaml Converts to a thin caller of the pinned reusable multi-arch build/test workflow, passing NSS/NSPR setup inputs.
.github/workflows/build-test-release.yaml Converts to a thin caller of the pinned reusable multi-arch release workflow and keeps PyPI publishing jobs locally.
.github/workflows/advanced-tests.yaml Adds persist-credentials: false to checkouts to reduce token persistence risk.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build-test-release.yaml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@tykeal tykeal merged commit 0dedcdf into lfreleng-actions:main Jun 30, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants