security: apply zizmor GitHub Actions security improvements#88
security: apply zizmor GitHub Actions security improvements#88
Conversation
Ran zizmor v1.23.1 against all workflow files and resolved all high-priority findings (reduced from 30 high to 0 high): - Pin all action references to commit SHAs to prevent supply-chain attacks: - actions/checkout@de0fac2e (v6.0.2) - actions/cache@cdf6c1fa (v5) - actions/upload-artifact@bbbca2dd (v7) - erlef/setup-beam@ee09b1e5 (v1) - philss/rustler-precompiled-action@853ac56 (v1.1.4) - Add persist-credentials: false to all checkout steps (artipacked) - Remove overly broad pull-requests: write from workflow-level permissions - Fix template injection in all-checks-pass job by passing needs results via env vars rather than inline ${{ }} expressions - Move Turso secrets from job-level env to step-level env to reduce exposure surface (secrets-outside-env) - Replace dtolnay/rust-toolchain action with direct rustup script calls as recommended (superfluous-actions) - Replace softprops/action-gh-release action with gh release CLI call Remaining findings: 4 medium secrets-outside-env warnings for Turso secrets, which require configuring a GitHub Deployment Environment in repo settings. https://claude.ai/code/session_01EUdjWCLtSWQYY5j4yc8Qb5
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip You can validate your CodeRabbit configuration file in your editor.If your editor has YAML language server, you can enable auto-completion and validation by adding |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Check if secrets are available | ||
| id: check-secrets | ||
| env: | ||
| TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }} |
Check warning
Code scanning / zizmor
secrets referenced without a dedicated environment Warning
| id: check-secrets | ||
| env: | ||
| TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }} | ||
| TURSO_AUTH_TOKEN: ${{ secrets.TURSO_AUTH_TOKEN }} |
Check warning
Code scanning / zizmor
secrets referenced without a dedicated environment Warning
| - name: Run Turso remote tests | ||
| if: steps.check-secrets.outputs.skip != 'true' | ||
| env: | ||
| TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }} |
Check warning
Code scanning / zizmor
secrets referenced without a dedicated environment Warning
| if: steps.check-secrets.outputs.skip != 'true' | ||
| env: | ||
| TURSO_DB_URI: ${{ secrets.TURSO_DB_URI }} | ||
| TURSO_AUTH_TOKEN: ${{ secrets.TURSO_AUTH_TOKEN }} |
Check warning
Code scanning / zizmor
secrets referenced without a dedicated environment Warning
2 participants
Ran zizmor v1.23.1 against all workflow files and resolved all high-priority findings (reduced from 30 high to 0 high):
Remaining findings: 4 medium secrets-outside-env warnings for Turso secrets, which require configuring a GitHub Deployment Environment in repo settings.
https://claude.ai/code/session_01EUdjWCLtSWQYY5j4yc8Qb5