Skip to content

Harden GHA + Zizmor CI#3

Merged
rastut merged 4 commits into
mainfrom
zizmor-plus-fixes
Jun 1, 2026
Merged

Harden GHA + Zizmor CI#3
rastut merged 4 commits into
mainfrom
zizmor-plus-fixes

Conversation

@rastut

@rastut rastut commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

This pull request introduces several improvements to GitHub workflow files, focusing on enhanced security, better credential management, and improved maintainability. The most significant changes include adding a new security analysis workflow with zizmor, switching to local action references for tooling, enforcing token and credential usage best practices, and updating third-party action versions for reproducibility.

Security and Analysis Enhancements:

  • Added a new .github/workflows/zizmor.yaml workflow to run security analysis on workflow and action files using zizmor, with appropriate permissions and credential handling.
  • Added explicit permissions blocks to .github/workflows/bd_sca_scanner.yaml and .github/workflows/trufflehog.yaml to restrict access to only what's needed for actions/checkout. [1] [2]

Credential and Token Management Improvements:

  • Set persist-credentials: false for all actions/checkout steps in hyperforge_agent_package_workflow.yaml and hyperforge_workflow.yaml to prevent leaking repository tokens to subsequent steps. [1] [2] [3] [4] [5]
  • Switched from workflow expression interpolation to environment variables for passing inputs.package in hyperforge_agent_package_workflow.yaml, improving security and reliability.

Tooling and Action Reference Updates:

  • Changed references to custom actions (parameter-generator, build-img-regcache, build-helm-chart) from remote to local paths in hyperforge_workflow.yaml, improving maintainability and reducing external dependencies. [1] [2] [3]
  • Added steps to generate and use a GitHub App token for checking out the tooling repository, further restricting credentials and following best practices.

Dependency Version Pinning:

  • Updated the orgoro/coverage action to a specific commit hash for reproducible builds in hyperforge_workflow.yaml.

Other Minor Improvements:

  • Added comments and documentation regarding the use of PyPI tokens and the future migration to OIDC Trusted Publishing in hyperforge_agent_package_workflow.yaml.
  • Improved environment variable usage for Slack notifications in hyperforge_workflow.yaml.

@rastut rastut merged commit 46fe43f into main Jun 1, 2026
25 of 43 checks passed
@bloodbare bloodbare deleted the zizmor-plus-fixes branch June 4, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant