Skip to content

ci: zizmor-driven GHA workflow security cleanup#728

Merged
emptyhammond merged 5 commits into
mainfrom
worktree-fixup-workflow
Jun 3, 2026
Merged

ci: zizmor-driven GHA workflow security cleanup#728
emptyhammond merged 5 commits into
mainfrom
worktree-fixup-workflow

Conversation

@emptyhammond

@emptyhammond emptyhammond commented May 26, 2026

Copy link
Copy Markdown
Contributor

Routine hygiene pass over the five GitHub Actions workflows in this repo, driven by zizmor static analysis. The changes are split into five commits, one per finding type.

Summary by CodeRabbit

  • Chores
    • Enhanced CI/CD security by pinning GitHub Action versions and adding workflow-level permission restrictions (read-only content token).
    • Improved workflow reliability by disabling credential persistence in checkout steps.
    • Minor deployment workflow tweak to pass release tag as an explicit parameter during CDN publish.

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 816d2461-29e4-45a9-b458-3a2c48a5beac

📥 Commits

Reviewing files that changed from the base of the PR and between 77c8815 and 7ac6f4c.

📒 Files selected for processing (5)
  • .github/workflows/deps-updated-correctly.yml
  • .github/workflows/dev.yml
  • .github/workflows/docs.yml
  • .github/workflows/publish.cdn.yml
  • .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (5)
  • .github/workflows/release.yml
  • .github/workflows/deps-updated-correctly.yml
  • .github/workflows/publish.cdn.yml
  • .github/workflows/docs.yml
  • .github/workflows/dev.yml

Walkthrough

GitHub Actions workflows now declare workflow-level permissions: contents: read, pin action references to specific commit SHAs, and set checkout persist-credentials: false; the publish CDN workflow also passes the release tag via a RELEASE_TAG environment variable.

Changes

GitHub Actions Security Hardening

Layer / File(s) Summary
Permissions and action pinning across core workflows
.github/workflows/deps-updated-correctly.yml, .github/workflows/dev.yml, .github/workflows/docs.yml, .github/workflows/release.yml
Each workflow adds a permissions: contents: read block and replaces unpinned actions/checkout and actions/setup-node references with pinned commit SHAs. Checkout steps now set persist-credentials: false. docs.yml also pins aws-actions/configure-aws-credentials and ably/sdk-upload-action. dev.yml pins davelosert/vitest-coverage-report-action and applies these changes across multiple jobs.
CDN deployment workflow security and credential handling
.github/workflows/publish.cdn.yml
Pins actions/checkout, aws-actions/configure-aws-credentials, and actions/setup-node to specific commit SHAs, adds persist-credentials: false to checkout, and changes the deploy step to pass RELEASE_TAG (from github.ref_name) into scripts/cdn_deploy.js using --tag="$RELEASE_TAG".

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly and accurately reflects the main objective of the PR: security-focused improvements to GitHub Actions workflows driven by zizmor analysis.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-fixup-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot temporarily deployed to staging/pull/728/typedoc May 26, 2026 10:26 Inactive
@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 95.57% (🎯 95%) 4018 / 4204
🔵 Statements 95.57% (🎯 95%) 4018 / 4204
🔵 Functions 98.99% (🎯 98%) 296 / 299
🔵 Branches 97.12% (🎯 97%) 978 / 1007
File CoverageNo changed files found.
Generated in workflow #3204 for commit 7ac6f4c by the Vitest Coverage Report Action

@emptyhammond emptyhammond requested a review from AndyTWF May 26, 2026 10:30
@emptyhammond emptyhammond marked this pull request as ready for review May 26, 2026 10:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs.yml:
- Around line 24-26: The workflow uses actions/setup-node@... without an
explicit cache setting, so update the setup-node step (the block starting with
"uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and its
"with" section) to add package-manager-cache: false to explicitly disable
package manager caching; apply the same change (add package-manager-cache: false
under the "with:" for the setup-node step) in the corresponding setup-node
blocks in .github/workflows/release.yml and .github/workflows/publish.cdn.yml to
keep behavior consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 01fe1136-82cc-41c9-b52b-dcc0c80eb3b0

📥 Commits

Reviewing files that changed from the base of the PR and between 7526b4a and 77c8815.

📒 Files selected for processing (5)
  • .github/workflows/deps-updated-correctly.yml
  • .github/workflows/dev.yml
  • .github/workflows/docs.yml
  • .github/workflows/publish.cdn.yml
  • .github/workflows/release.yml

Comment on lines +24 to 26
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled
with:
node-version: 20.x

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== packageManager field discovery =="
fd -H '^package\.json$' | while read -r f; do
  python - "$f" <<'PY'
import json, sys
p = sys.argv[1]
with open(p, "r", encoding="utf-8") as fh:
    data = json.load(fh)
print(f"{p}: packageManager={data.get('packageManager')!r}")
PY
done

echo
echo "== setup-node steps in workflows =="
rg -n -C3 'uses:\s*actions/setup-node@' .github/workflows/*.yml

echo
echo "== explicit package-manager-cache settings =="
rg -n -C2 'package-manager-cache:' .github/workflows/*.yml || true

Repository: ably/ably-chat-js

Length of output: 6252


Make setup-node cache disabling explicit (package-manager-cache: false)

.github/workflows/docs.yml uses actions/setup-node@... # v6.4.0 but doesn’t set either cache or package-manager-cache; since both package.json and demo/package.json lack a packageManager field, caching behavior depends on setup-node defaults/lockfile detection. Add package-manager-cache: false (and mirror the same change in .github/workflows/release.yml and .github/workflows/publish.cdn.yml) to align with the hardening intent and avoid relying on the current zizmor ignore rationale.

Suggested patch
       - name: Use Node.js 20.x
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20.x
+          package-manager-cache: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] no cache input is set, so npm cache is not enabled
with:
node-version: 20.x
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 20.x
package-manager-cache: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 24 - 26, The workflow uses
actions/setup-node@... without an explicit cache setting, so update the
setup-node step (the block starting with "uses:
actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and its "with"
section) to add package-manager-cache: false to explicitly disable package
manager caching; apply the same change (add package-manager-cache: false under
the "with:" for the setup-node step) in the corresponding setup-node blocks in
.github/workflows/release.yml and .github/workflows/publish.cdn.yml to keep
behavior consistent.

@emptyhammond emptyhammond enabled auto-merge June 3, 2026 08:35
emptyhammond and others added 5 commits June 3, 2026 09:36
Adds top-level minimal permissions blocks to workflows that previously
relied on default GITHUB_TOKEN scopes, per least-privilege guidance.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prevents the GitHub token from being persisted to the runner git
config after checkout, which reduces the credential footprint
available to subsequent steps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Expanding the ref_name template inside a shell run block lets the
value influence shell parsing. Routing it through an env var and
quoting the variable keeps the value strictly as data.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The cdn publish, docs, and release workflows trigger on release/tag
events. They do not pass a `cache:` input to setup-node, so the npm
cache is not enabled. Adds inline zizmor ignore comments documenting
this so future audits stay clean without masking real findings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces mutable tag references (e.g. @v2, @V3) with commit SHAs
plus a version comment. A compromised tag in an upstream action can
otherwise re-point at malicious code on the next workflow run.

Actions bumped to their latest releases as part of the pin:
  actions/checkout                       v6.0.2
  actions/setup-node                     v6.4.0
  aws-actions/configure-aws-credentials  v6.1.1
  ably/sdk-upload-action                 v2.2.0
  davelosert/vitest-coverage-report      v2.12.0
@emptyhammond emptyhammond force-pushed the worktree-fixup-workflow branch from 77c8815 to 7ac6f4c Compare June 3, 2026 08:36
@emptyhammond emptyhammond merged commit 177371d into main Jun 3, 2026
12 checks passed
@emptyhammond emptyhammond deleted the worktree-fixup-workflow branch June 3, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants