Skip to content

Add zizmor GitHub Actions security workflow#5

Open
bchassoul wants to merge 1 commit into
mainfrom
gl/zizmor
Open

Add zizmor GitHub Actions security workflow#5
bchassoul wants to merge 1 commit into
mainfrom
gl/zizmor

Conversation

@bchassoul

@bchassoul bchassoul commented Mar 16, 2026

Copy link
Copy Markdown

zizmor found a few existing workflow security issues:

  - ruleId: zizmor/artipacked
    kind: fail
    level: warning
    message: credential persistence through GitHub Actions artifacts
    locations:
      .github/workflows/main.yml
  - ruleId: zizmor/excessive-permissions
    kind: fail
    level: warning
    message: overly broad permissions
    locations:
      .github/workflows/main.yml
  - ruleId: zizmor/unpinned-uses
    kind: fail
    level: error
    message: unpinned action reference
    locations:
      .github/workflows/main.yml
      .github/workflows/publish.yml
      .github/workflows/shelltests.yml
  - ruleId: zizmor/archived-uses
    kind: fail
    level: warning
    message: action or reusable workflow from archived repository
    locations:
      .github/workflows/publish.yml

Not sure why the test passes, see log here

@GwendalLaurent

Copy link
Copy Markdown

Not sure why the test passes
According to ChatGPT, that's because the vulnerabilities were already present in the code before the PR.

In my opinion, even if the CI is green, it's probably a good idea to fix the vulnerabilities in this PR

@maehjam maehjam left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR should be to kickstarter/base not main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants