Skip to content

Add workflow-security CI gate (zizmor + pinact) and Dependabot cooldown#61

Merged
djacu merged 2 commits into
mainfrom
ci/workflow-security-check
Jul 6, 2026
Merged

Add workflow-security CI gate (zizmor + pinact) and Dependabot cooldown#61
djacu merged 2 commits into
mainfrom
ci/workflow-security-check

Conversation

@djacu

@djacu djacu commented Jul 6, 2026

Copy link
Copy Markdown
Member

What

Adds a CI gate that runs zizmor + pinact over .github/ on every PR and push, plus a Dependabot cooldown. This is the guardrail for the workflow-hardening series (#55, #58, #59, #60) — it keeps those fixes from silently regressing.

  • check.yml — new workflow-security job:
    • nix run .#zizmor -- .github/ — audits all workflows, the composite action, and dependabot.yml.
    • nix run .#pinact -- run --check — verifies every action is SHA-pinned and its # vX.Y.Z comment matches the SHA.
  • dependabot.ymlcooldown: { default-days: 7 }: delays adopting a freshly published release for 7 days so a compromised release can be caught/yanked first.

Why

The hardening PRs fixed these by hand; without a gate a future PR could reintroduce an unpinned action, a ${{ }} shell injection, an over-broad permission, or drifted pins. zizmor + pinact catch all of those in CI.

Notes

  • zizmor runs online (keeps the known-vulnerable-actions CVE check). CI uses only the pinned version with a fresh HTTP cache, so it's reliable; the sole dependency is GitHub API reachability at run time.
  • The flake-pinned zizmor (1.18.0) predates the dependabot-cooldown audit, so the gate doesn't yet enforce the cooldown — the fix is proactive and will be enforced once flake.lock's nixpkgs is next bumped.

Verification

  • actionlint: clean
  • nix run .#zizmor -- .github/ (pinned 1.18.0, online): exit 0, no findings
  • nix run .#pinact -- run --check (pinned 3.4.5): exit 0
  • dependabot.yml: valid YAML

djacu added 2 commits July 6, 2026 08:43
Delay update PRs for freshly published releases by 7 days, so a compromised
release has time to be caught and yanked before Dependabot auto-adopts it
(zizmor dependabot-cooldown).
Add a workflow-security job to check.yml that runs on every PR and push:
- nix run .#zizmor -- .github/ audits all workflows, the composite action,
  and dependabot.yml.
- nix run .#pinact -- run --check verifies every action is SHA-pinned and
  its version comment matches the SHA.
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: 2380abddcbace93875b2f222ae77461c50492960 (current main tip when this ran)
  • After: 611ad1c8a34a4e3a806976bdba7992b27d351de4 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 0227c7a into main Jul 6, 2026
6 checks passed
@djacu djacu deleted the ci/workflow-security-check branch July 6, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant