ci: zizmor-driven GHA workflow security cleanup#728
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
🚧 Files skipped from review as they are similar to previous changes (5)
WalkthroughGitHub Actions workflows now declare workflow-level ChangesGitHub Actions Security Hardening
🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report
File CoverageNo changed files found. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docs.yml:
- Around line 24-26: The workflow uses actions/setup-node@... without an
explicit cache setting, so update the setup-node step (the block starting with
"uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and its
"with" section) to add package-manager-cache: false to explicitly disable
package manager caching; apply the same change (add package-manager-cache: false
under the "with:" for the setup-node step) in the corresponding setup-node
blocks in .github/workflows/release.yml and .github/workflows/publish.cdn.yml to
keep behavior consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 01fe1136-82cc-41c9-b52b-dcc0c80eb3b0
📒 Files selected for processing (5)
.github/workflows/deps-updated-correctly.yml.github/workflows/dev.yml.github/workflows/docs.yml.github/workflows/publish.cdn.yml.github/workflows/release.yml
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled | ||
| with: | ||
| node-version: 20.x |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== packageManager field discovery =="
fd -H '^package\.json$' | while read -r f; do
python - "$f" <<'PY'
import json, sys
p = sys.argv[1]
with open(p, "r", encoding="utf-8") as fh:
data = json.load(fh)
print(f"{p}: packageManager={data.get('packageManager')!r}")
PY
done
echo
echo "== setup-node steps in workflows =="
rg -n -C3 'uses:\s*actions/setup-node@' .github/workflows/*.yml
echo
echo "== explicit package-manager-cache settings =="
rg -n -C2 'package-manager-cache:' .github/workflows/*.yml || trueRepository: ably/ably-chat-js
Length of output: 6252
Make setup-node cache disabling explicit (package-manager-cache: false)
.github/workflows/docs.yml uses actions/setup-node@... # v6.4.0 but doesn’t set either cache or package-manager-cache; since both package.json and demo/package.json lack a packageManager field, caching behavior depends on setup-node defaults/lockfile detection. Add package-manager-cache: false (and mirror the same change in .github/workflows/release.yml and .github/workflows/publish.cdn.yml) to align with the hardening intent and avoid relying on the current zizmor ignore rationale.
Suggested patch
- name: Use Node.js 20.x
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled
+ uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 20.x
+ package-manager-cache: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled | |
| with: | |
| node-version: 20.x | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 20.x | |
| package-manager-cache: false |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml around lines 24 - 26, The workflow uses
actions/setup-node@... without an explicit cache setting, so update the
setup-node step (the block starting with "uses:
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and its "with"
section) to add package-manager-cache: false to explicitly disable package
manager caching; apply the same change (add package-manager-cache: false under
the "with:" for the setup-node step) in the corresponding setup-node blocks in
.github/workflows/release.yml and .github/workflows/publish.cdn.yml to keep
behavior consistent.
Adds top-level minimal permissions blocks to workflows that previously relied on default GITHUB_TOKEN scopes, per least-privilege guidance. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prevents the GitHub token from being persisted to the runner git config after checkout, which reduces the credential footprint available to subsequent steps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Expanding the ref_name template inside a shell run block lets the value influence shell parsing. Routing it through an env var and quoting the variable keeps the value strictly as data. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The cdn publish, docs, and release workflows trigger on release/tag events. They do not pass a `cache:` input to setup-node, so the npm cache is not enabled. Adds inline zizmor ignore comments documenting this so future audits stay clean without masking real findings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces mutable tag references (e.g. @v2, @V3) with commit SHAs plus a version comment. A compromised tag in an upstream action can otherwise re-point at malicious code on the next workflow run. Actions bumped to their latest releases as part of the pin: actions/checkout v6.0.2 actions/setup-node v6.4.0 aws-actions/configure-aws-credentials v6.1.1 ably/sdk-upload-action v2.2.0 davelosert/vitest-coverage-report v2.12.0
77c8815 to
7ac6f4c
Compare
Routine hygiene pass over the five GitHub Actions workflows in this repo, driven by zizmor static analysis. The changes are split into five commits, one per finding type.
Summary by CodeRabbit