Skip to content

Fix: Resolve zizmor security audit findings#164

Merged
ModeSevenIndustrialSolutions merged 1 commit into
lfreleng-actions:mainfrom
modeseven-lfreleng-actions:fix-zizmor-findings
Jun 19, 2026
Merged

Fix: Resolve zizmor security audit findings#164
ModeSevenIndustrialSolutions merged 1 commit into
lfreleng-actions:mainfrom
modeseven-lfreleng-actions:fix-zizmor-findings

Conversation

@ModeSevenIndustrialSolutions

Copy link
Copy Markdown
Contributor

Summary

Hardens the composite action and testing workflow against all High and Medium zizmor findings (19 High + 2 Medium before this change, 0 after).

Changes

  • template-injection (High): In action.yaml and .github/workflows/testing.yaml, route ${{ inputs.* }} and other expansions through step-level env: blocks and reference them as quoted shell variables, preventing expression injection into run: scripts.
  • ref-version-mismatch (2 Medium): Correct stale version comments on pinned actions so they match the commit the SHA actually points to (verified against GitHub):
    • astral-sh/setup-uv@fac544c…# v8.2.0 (was # v7.2.0)
    • actions/cache@27d5ce7…# v5.0.5 (was # v4.0.2)
  • github-env (14 High): The values persisted to GITHUB_ENV are action-internal and are validated before being written — the action already guards against env-file injection (see the boolean / path / pytest_args / coverage validation steps). They are env-by-nature (consumed as environment variables by later steps), so each carries a scoped, inline-justified # zizmor: ignore[github-env].

Validation

zizmor . -> 0 High / 0 Medium (previously 19 High / 2 Medium)

pre-commit (actionlint, yamllint, reuse, gitlint) passes.


This branch was cut from the latest upstream/main.

Co-authored-by: Claude claude@anthropic.com

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens this repository’s composite GitHub Action and its CI workflow to address zizmor security audit findings, primarily by reducing expression/template injection risk in run: scripts and tightening checkout credential persistence.

Changes:

  • Routes user-controlled ${{ inputs.* }} expansions through step-level env: and uses quoted shell variables in run: steps.
  • Adds targeted zizmor: ignore[github-env] annotations where GITHUB_ENV writes are intended and (per comments) validated.
  • Updates pinned-action version comments and disables credential persistence for actions/checkout in the testing workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 9 comments.

File Description
action.yaml Refactors input handling to reduce script-source interpolation risks; adds zizmor ignore annotations and updates pinned-action comments.
.github/workflows/testing.yaml Hardens actions/checkout usage by setting persist-credentials: false and updates a pinned-action comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Comment thread action.yaml Outdated
Harden the composite action and testing workflow against
High-severity and Medium-severity zizmor findings:

- template-injection: route ${{ inputs.* }} and other expansions
  through step-level env: blocks and reference them as quoted
  shell variables, preventing expression injection into run:
  scripts.
- ref-version-mismatch: correct stale version comments on pinned
  actions (setup-uv -> v8.2.0, actions/cache -> v5.0.5) so they
  match the commit the SHA actually points to.
- github-env: the values persisted to GITHUB_ENV are action-
  internal and validated before being written (the action already
  guards against env-file injection); they are env-by-nature and
  carry scoped, justified ignores.

Also address review feedback:

- drop the redundant INPUTS_* env entries an autofix introduced
  (including INPUTS_X, an undeclared input). The steps consume the
  INPUT_* variables; the duplicate INPUTS_* names were unused and
  confusing.
- reword the in-script justification comments to name the GitHub
  Actions expression form (e.g. inputs.path_prefix) instead of
  bash-style ${INPUTS_X} placeholders. The literal ${{ ... }}
  token is deliberately avoided inside run: comments because the
  runner would interpolate it -- the very vector being mitigated.

Confirmed clean with zizmor (0 High/Medium findings remaining).

Co-authored-by: Claude <claude@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions merged commit 4129c28 into lfreleng-actions:main Jun 19, 2026
27 checks passed
@ModeSevenIndustrialSolutions ModeSevenIndustrialSolutions deleted the fix-zizmor-findings branch June 19, 2026 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants