fix: improve security posture of GitHub Actions with zizmor (#91)

ashishb · Jan 3, 2025 · 9a41ee9 · 9a41ee9
1 parent b81f5b2
commit 9a41ee9
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 4 deletions.
diff --git a/.github/workflows/build-go.yaml b/.github/workflows/build-go.yaml
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5

diff --git a/.github/workflows/format-go.yaml b/.github/workflows/format-go.yaml
@@ -32,6 +32,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5

diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5

diff --git a/.github/workflows/lint-markdown.yaml b/.github/workflows/lint-markdown.yaml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         # See https://github.com/ruby/setup-ruby#versioning

diff --git a/.github/workflows/release-binary.yaml b/.github/workflows/release-binary.yaml
@@ -9,23 +9,23 @@ on:
       - "version.txt"
   workflow_dispatch:
 
-permissions:
-  contents: write
-
 jobs:
 
   generateTag:
 
     name: "Auto-generate Git tag whenever version.txt changes"
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: write
 
     steps:
 
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Fetch git tags
         run: git fetch --force --tags
@@ -55,21 +55,26 @@ jobs:
     runs-on: ubuntu-latest
     needs: generateTag
     timeout-minutes: 15
+    permissions:
+      contents: write
 
     steps:
 
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Fetch git tags
         run: git fetch --force --tags
 
       - uses: actions/setup-go@v5
         with:
           go-version: stable
-          cache-dependency-path: src/wp2hugo/go.sum
+          # To prevent cache poisoning
+          # Ref: https://woodruffw.github.io/zizmor/audits/#cache-poisoning
+          cache: false
 
       # More assembly might be required: Docker logins, GPG, etc. It all depends
       # on your needs.