Skip to content

ci: configure zizmor GHA security checks, fix findings #2632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
danielroe merged 12 commits into from
Apr 26, 2026
Merged

ci: configure zizmor GHA security checks, fix findings #2632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
4d60644
ci: use `persist-credentials: false` for actions/checkout
serhalp Apr 26, 2026
fa8ee0a
ci: fix all mismatched action versions in workflows
serhalp Apr 26, 2026
e69e309
ci: opt in to least privilege needed
serhalp Apr 26, 2026
957aab1
ci: use concurrency controls in all workflows
serhalp Apr 26, 2026
17f44f0
ci: pin playwright image to a specific digest
serhalp Apr 26, 2026
4113a4e
ci: add names to anonymous workflows and jobs
serhalp Apr 26, 2026
ed31fab
ci: apply principle of least privilege to lunaria workflow
serhalp Apr 26, 2026
792ac0b
ci: document why each permission is needed
serhalp Apr 26, 2026
0fb4575
ci: configure zizmor
serhalp Apr 26, 2026
2ce76ab
ci: run zizmor on an image with docker
serhalp Apr 26, 2026
6e1a787
ci: fix a few more missing action version tags
serhalp Apr 26, 2026
a3e463d
Merge branch 'main' into serhalp/zizmor
danielroe Apr 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
branches:
- main

concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -19,8 +23,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -37,4 +43,4 @@ jobs:
- name: 🔠 Fix lint errors
run: vp run lint:fix

- uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # 635ffb0c9798bd160680f18fd73371e355b85f27
- uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # v1.3.2
3 changes: 2 additions & 1 deletion .github/workflows/chromatic.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ jobs:
fetch-depth: 0
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ github.event.pull_request.head.sha || github.sha }}
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand Down
34 changes: 25 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
run-install: false
Expand All @@ -45,8 +47,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -60,8 +64,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -81,8 +87,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -109,15 +117,17 @@ jobs:
name: 🖥️ Browser tests
runs-on: ubuntu-24.04-arm
container:
image: mcr.microsoft.com/playwright:v1.58.2-noble
image: mcr.microsoft.com/playwright:v1.58.2-noble@sha256:6446946a1d9fd62d9ae501312a2d76a43ee688542b21622056a372959b65d63d

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: 👑 Fix Git ownership
run: git config --global --add safe.directory /__w/npmx.dev/npmx.dev

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -139,8 +149,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -160,8 +172,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true
Expand All @@ -175,8 +189,10 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
run-install: false
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/dependency-diff-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,20 @@ on:
types:
- completed

permissions:
pull-requests: write
actions: read
concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
cancel-in-progress: true

permissions: {}

jobs:
dependency-diff-comment:
name: 💬 Dependency diff comment
runs-on: ubuntu-slim
if: github.event.workflow_run.conclusion == 'success'
permissions:
pull-requests: write # post dependency diff comments on pull requests
actions: read # download artifacts from dependency-diff runs

steps:
- name: 📥 Download artifact
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/dependency-diff.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: 🔎 Compare dependencies
id: analyze
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/deploy-canary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,10 @@ jobs:
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
run-install: false
Expand Down
13 changes: 7 additions & 6 deletions .github/workflows/lunaria.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: true

# Allow this job to clone the repository and comment on the pull request
permissions:
contents: read
pull-requests: write
permissions: {}

jobs:
lunaria-overview:
name: 🌝 Generate Lunaria Overview
runs-on: ubuntu-24.04-arm
permissions:
contents: read
pull-requests: write # post Lunaria overview comments on pull requests

steps:
- name: Checkout
Expand All @@ -27,11 +27,12 @@ jobs:
# Necessary for Lunaria to work properly
# Makes the action clone the entire git history
fetch-depth: 0
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
cache: true

- name: Generate Lunaria Overview
uses: lunariajs/action@4911ad0736d1e3b20af4cb70f5079aea2327ed8e # v1-prerelease
uses: lunariajs/action@4911ad0736d1e3b20af4cb70f5079aea2327ed8e # astro-docs
5 changes: 5 additions & 0 deletions .github/workflows/mirror-tangled.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
tags:
- '*'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

Expand All @@ -20,6 +24,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: 🔑 Configure SSH
env:
Expand Down
14 changes: 10 additions & 4 deletions .github/workflows/release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,28 @@ on:
branches:
- main

permissions:
contents: read
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
release-pr:
name: 🚀 Create or update release PR
runs-on: ubuntu-slim
if: github.repository == 'npmx-dev/npmx.dev'
permissions:
contents: read
pull-requests: write # create or update the release pull request

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
run-install: false
Expand Down
14 changes: 10 additions & 4 deletions .github/workflows/release-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
branches:
- release

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

Comment on lines +8 to +11
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

cancel-in-progress: true on a release workflow can leave partial state.

This workflow pushes a git tag, creates a GitHub Release, and then publishes npmx-connector to npm in a downstream job. If a second push to release arrives mid-run (or this run is otherwise superseded), GitHub will SIGTERM the in-flight job and you can end up in inconsistent states such as:

  • tag pushed but the GitHub Release never created (the 📝 Generate release notes / 🚀 Create GitHub Release steps get killed), or
  • tag + Release exist but publish-connector is canceled before npm publish --provenance completes — leaving git/GitHub claiming a version that does not exist on the registry.

Releases on push to release are infrequent, so the throughput win from cancellation is negligible while the corruption risk is real. Recommend disabling cancellation on this workflow specifically.

🛡️ Proposed fix 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  # Releases push tags, create GitHub releases, and publish to npm in sequence.
+  # Cancelling mid-run could leave a tag without a release, or a release without a published package.
+  cancel-in-progress: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
# Releases push tags, create GitHub releases, and publish to npm in sequence.
# Cancelling mid-run could leave a tag without a release, or a release without a published package.
cancel-in-progress: false
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-tag.yml around lines 8 - 11, The concurrency block
currently sets "cancel-in-progress: true", which can leave release workflow
state inconsistent; change the concurrency configuration (the concurrency/group
and cancel-in-progress settings) so that cancel-in-progress is disabled for this
release workflow — e.g., remove or set "cancel-in-progress: false" in the
concurrency block that contains group: ${{ github.workflow }}-${{ github.ref }}
so in-flight release runs are allowed to finish instead of being terminated.

permissions: {}

jobs:
Expand All @@ -13,7 +17,7 @@ jobs:
runs-on: ubuntu-slim
if: github.repository == 'npmx-dev/npmx.dev'
permissions:
contents: write
contents: write # create release tags and GitHub releases
outputs:
version: ${{ steps.version.outputs.next }}
skipped: ${{ steps.check.outputs.skip }}
Expand All @@ -22,8 +26,9 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: true

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
run-install: false
Expand Down Expand Up @@ -87,15 +92,16 @@ jobs:
if: needs.tag.outputs.skipped == 'false'
permissions:
contents: read
id-token: write
id-token: write # authenticate npm trusted publishing via OIDC
environment: npm-publish

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: release
persist-credentials: false

- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1
- uses: voidzero-dev/setup-vp@8ecb39174989ce55af90f45cf55b02738599831d # v1.6.0
with:
node-version: lts/*
registry-url: https://registry.npmjs.org
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/semantic-pull-requests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:
- edited
- synchronize

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
Expand Down
18 changes: 13 additions & 5 deletions .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,20 @@ on:
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual trigger

permissions:
issues: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: true

permissions: {}

jobs:
stale-bugs:
name: 🧹 Mark stale bug issues
runs-on: ubuntu-latest
permissions:
issues: write # mark and close stale bug issues
steps:
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
days-before-issue-stale: 30
days-before-issue-close: 7
Expand All @@ -27,9 +32,12 @@ jobs:
operations-per-run: 500

stale-prs:
name: 🧹 Mark stale pull requests
runs-on: ubuntu-latest
permissions:
pull-requests: write # mark and close stale pull requests
steps:
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
days-before-issue-stale: -1
days-before-issue-close: -1
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/welcome-close.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types:
- closed

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
Expand Down
Loading
Loading