Skip to content

ci: harden GitHub Actions workflows (zizmor)#116

Merged
ewels merged 4 commits into
mainfrom
fix/zizmor-workflow-hardening
Jun 16, 2026
Merged

ci: harden GitHub Actions workflows (zizmor)#116
ewels merged 4 commits into
mainfrom
fix/zizmor-workflow-hardening

Conversation

@ewels

@ewels ewels commented Jun 16, 2026

Copy link
Copy Markdown
Member
  1. Update github actions
  2. Bump docs npm packages
  3. ci: harden GitHub Actions workflows — resolve all zizmor findings (was 4 high, 13 medium, 1 low, 9 info)
  4. fix(ci): restore toolchain channel for dtolnay/rust-toolchain

🤖 Generated with Claude Code

ewels and others added 4 commits June 16, 2026 22:24
Resolve all zizmor findings across the three workflows:

- excessive-permissions: drop workflow-level write scopes to
  contents: read and grant packages:/contents: write only on the
  jobs that need them (docker push, tag/release creation).
- template-injection: move all ${{ ... }} expansions out of run
  blocks into env vars referenced as shell variables.
- artipacked: set persist-credentials: false on read-only checkouts;
  keep credentials only on create-tag-and-release (git push) with a
  documented zizmor ignore.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pinning dtolnay/rust-toolchain to a SHA dropped the @stable channel
from the action ref, so jobs without an explicit toolchain input
failed with "'toolchain' is a required input". Add an explicit
toolchain: stable input to the test, fmt, clippy and build-binaries
jobs, which is robust against SHA pinning.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ewels ewels merged commit 2556c9d into main Jun 16, 2026
7 checks passed
@ewels ewels deleted the fix/zizmor-workflow-hardening branch June 16, 2026 21:04
ewels added a commit that referenced this pull request Jun 17, 2026
* Update github actions

* Bump docs npm packages

* ci: harden GitHub Actions workflows (zizmor)

Resolve all zizmor findings across the three workflows:

- excessive-permissions: drop workflow-level write scopes to
  contents: read and grant packages:/contents: write only on the
  jobs that need them (docker push, tag/release creation).
- template-injection: move all ${{ ... }} expansions out of run
  blocks into env vars referenced as shell variables.
- artipacked: set persist-credentials: false on read-only checkouts;
  keep credentials only on create-tag-and-release (git push) with a
  documented zizmor ignore.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(ci): restore toolchain channel for dtolnay/rust-toolchain

Pinning dtolnay/rust-toolchain to a SHA dropped the @stable channel
from the action ref, so jobs without an explicit toolchain input
failed with "'toolchain' is a required input". Add an explicit
toolchain: stable input to the test, fmt, clippy and build-binaries
jobs, which is robust against SHA pinning.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant