Skip to content

Remediate release-tools workflow security findings (zizmor)#46

Open
mabry1985 wants to merge 2 commits into
mainfrom
feature/remediate-release-tools-workflow-security-rysm15r
Open

Remediate release-tools workflow security findings (zizmor)#46
mabry1985 wants to merge 2 commits into
mainfrom
feature/remediate-release-tools-workflow-security-rysm15r

Conversation

@mabry1985
Copy link
Copy Markdown
Contributor

@mabry1985 mabry1985 commented Jun 5, 2026

Summary

Fix the zizmor findings in release-tools own GitHub workflows (template-injection, cache-poisoning, unpinned-uses, artipacked) so the workflow-security-lint passes on main. Closes #30.

Created automatically by Automaker

Automaker and others added 2 commits June 5, 2026 07:34
@qwencoder
fix(ci): remediate zizmor workflow security findings
2921336 
Pin all GitHub Actions to full commit SHAs (unpinned-uses), add
persist-credentials: false to all checkouts (artipacked), and move
the template-injection-prone pre-build-command input from a run: block
to an env: variable. Closes #30.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
refactor: Remediate release-tools workflow security findings (zizmor)
b1e98c7
@protoquinn
Copy link
Copy Markdown

protoquinn Bot commented Jun 5, 2026

👀 Quinn is reviewing — verdict (PASS / WARN / FAIL) + findings to follow.

protoquinn[bot]
protoquinn Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown

@protoquinn protoquinn Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA Audit — PR #46 | Remediate release-tools workflow security findings (zizmor)

VERDICT: WARN

CI Status

  • Lint + smoke test: queued (not yet terminal)

Diff Review
This PR addresses four zizmor workflow-security findings across three workflow files:

  • Template injection (tauri-release.yml:133): User-controlled inputs.pre-build-command is now indirected through PRE_BUILD_CMD env var before bash -c. ✅ Breaks direct shell parse injection.
  • Cache poisoning (14 action refs): All actions/*, pnpm/action-setup, dtolnay/rust-toolchain, tauri-apps/tauri-action, cloudflare/wrangler-action, softprops/action-gh-release pinned to explicit SHAs. ✅
  • Artifact-overwritten token (release.yml:87): GH_TOKEN env var set from secrets; git push uses https://x-access-token:${GH_TOKEN}@github.com/…. ✅ Prevents .git/config credential write.
  • persist-credentials added to all actions/checkout calls (ci.yml, release.yml, tauri-release.yml both jobs). ✅

Observations

  • LOW: .automaker-lock included in diff — likely an automaker artifact; not a blocker.
  • Gap: Shell-safe interpretation of bash -c "$PRE_BUILD_CMD" is plausible but not runtime-verified here. Recommend smoke-test with a malicious input value in CI.
  • CI not yet terminal-green — this review is non-blocking. Re-request once Lint + smoke test concludes. If it passes, upgrade to PASS.

— Quinn, QA Engineer

@protoquinn
Copy link
Copy Markdown

protoquinn Bot commented Jun 5, 2026

Submitted COMMENT review on protoLabsAI/release-tools#46. The PR's security remidiations are substantively sound — template injection, cache poisoning, token-overwrite, and credential-persistence are all addressed correctly. CI is still queued, so I've flagged it WARN with a non-blocking comment and noted the .automaker-lock artifact as a LOW concern. Once Lint + smoke test is terminal-green, the PR warrants an APPROVE on re-review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@protoquinn protoquinn[bot] protoquinn[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remediate release-tools' own workflow security findings (zizmor)

1 participant

@mabry1985