ci: harden GitHub Actions workflows (zizmor)#116
Merged
Conversation
Resolve all zizmor findings across the three workflows:
- excessive-permissions: drop workflow-level write scopes to
contents: read and grant packages:/contents: write only on the
jobs that need them (docker push, tag/release creation).
- template-injection: move all ${{ ... }} expansions out of run
blocks into env vars referenced as shell variables.
- artipacked: set persist-credentials: false on read-only checkouts;
keep credentials only on create-tag-and-release (git push) with a
documented zizmor ignore.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pinning dtolnay/rust-toolchain to a SHA dropped the @stable channel from the action ref, so jobs without an explicit toolchain input failed with "'toolchain' is a required input". Add an explicit toolchain: stable input to the test, fmt, clippy and build-binaries jobs, which is robust against SHA pinning. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ewels
added a commit
that referenced
this pull request
Jun 17, 2026
* Update github actions
* Bump docs npm packages
* ci: harden GitHub Actions workflows (zizmor)
Resolve all zizmor findings across the three workflows:
- excessive-permissions: drop workflow-level write scopes to
contents: read and grant packages:/contents: write only on the
jobs that need them (docker push, tag/release creation).
- template-injection: move all ${{ ... }} expansions out of run
blocks into env vars referenced as shell variables.
- artipacked: set persist-credentials: false on read-only checkouts;
keep credentials only on create-tag-and-release (git push) with a
documented zizmor ignore.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(ci): restore toolchain channel for dtolnay/rust-toolchain
Pinning dtolnay/rust-toolchain to a SHA dropped the @stable channel
from the action ref, so jobs without an explicit toolchain input
failed with "'toolchain' is a required input". Add an explicit
toolchain: stable input to the test, fmt, clippy and build-binaries
jobs, which is robust against SHA pinning.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Generated with Claude Code