Skip to content

Run zizmor on github actions, pinning all actions#23067

Open
oliverguenther wants to merge 8 commits intodevfrom
fix/github-actions-zizmor
Open

Run zizmor on github actions, pinning all actions#23067
oliverguenther wants to merge 8 commits intodevfrom
fix/github-actions-zizmor

Conversation

@oliverguenther
Copy link
Copy Markdown
Member

@oliverguenther oliverguenther commented May 5, 2026
edited
Loading

  • Pin all github actions to shas, not tags
  • Use persist-credentials: false where applicable
  • Avoid more template interpolation

https://community.openproject.org/work_packages/74698

@github-advanced-security
Copy link
Copy Markdown
Contributor

github-advanced-security AI commented May 5, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 5, 2026
View reviewed changes
Comment thread .github/workflows/openapi.yaml Fixed
Comment thread .github/workflows/test-frontend-unit.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems May 5, 2026
View reviewed changes
Comment thread .github/workflows/test-frontend-unit.yml Fixed
@oliverguenther oliverguenther requested review from crohr and machisuji May 5, 2026 12:49
machisuji
machisuji approved these changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@machisuji machisuji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:+1 LGTM! Although could you please elaborate a bit on the reason behind disabling package manager caching? Yes, it's probably a security issue. But it would just be interesting to see why this was disabled in the commit message, not just that it has been disabled.

@oliverguenther
Copy link
Copy Markdown
Member Author

oliverguenther commented May 5, 2026

@machisuji from https://docs.zizmor.sh/audits/#cache-poisoning

This vulnerability happens when release workflows leverage build state cached from previous workflow executions, in general on top of the aforementioned actions or similar ones. The publication of artifacts usually happens driven by trigger events like release or events with path filters like push (e.g. for tags).

We could probably disable this only for dockerization/release processes, and leave the CI runs unchanged, and set it to ignore the respective actions.

@oliverguenther oliverguenther force-pushed the fix/github-actions-zizmor branch from 4e52d32 to 3299590 Compare May 6, 2026 08:45
@oliverguenther oliverguenther force-pushed the fix/github-actions-zizmor branch from 3299590 to c8f6c18 Compare May 6, 2026 09:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@machisuji machisuji machisuji approved these changes

@crohr crohr Awaiting requested review from crohr

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

operations

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oliverguenther @github-advanced-security @machisuji