Skip to content

ci: add zizmor for GitHub Actions security analysis #2648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kludex merged 2 commits into from
May 20, 2026
Merged

ci: add zizmor for GitHub Actions security analysis #2648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eb9745b
ci: add zizmor for GitHub Actions security analysis
Kludex May 20, 2026
9c596da
ci: bump zizmor-action to v0.5.6 and disable uv cache in release build
Kludex May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,13 @@
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false

- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@2f8ba26a219c06cfb0f468eef8d97055fa814f97 # v1.0.53
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} # zizmor: ignore[secrets-outside-env]

Check warning on line 39 in .github/workflows/claude.yml

View check run for this annotation

Claude / Claude Code Review

Inline zizmor ignore[secrets-outside-env] in claude.yml is a no-op under the regular persona 

The inline `# zizmor: ignore[secrets-outside-env]` is a no-op for the CI job this PR adds: `secrets-outside-env` only fires under zizmor's `auditor` persona, but `zizmor.yml` doesn't set a `persona:` input so `zizmor-action` runs the default `regular` persona where this audit never triggers. This means the PR description's claim that the suppression silences "the one remaining warning" is incorrect, and the discussed follow-up (creating a GitHub environment for `ANTHROPIC_API_KEY`) is not actual
Copy link
Copy Markdown
Member Author

@Kludex Kludex May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the point is to create an environment and add the ANTHROPIC_API_KEY in there?

Copy link
Copy Markdown
Member Author

@Kludex Kludex May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - that's the proper fix, but it needs a repo-settings change (create a GitHub environment with ANTHROPIC_API_KEY) which is out of scope for this code-only PR. Suppressed inline for now; happy to follow up once the environment exists.

Copy link
Copy Markdown
Contributor

@claude claude Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The inline # zizmor: ignore[secrets-outside-env] is a no-op for the CI job this PR adds: secrets-outside-env only fires under zizmor's auditor persona, but zizmor.yml doesn't set a persona: input so zizmor-action runs the default regular persona where this audit never triggers. This means the PR description's claim that the suppression silences "the one remaining warning" is incorrect, and the discussed follow-up (creating a GitHub environment for ANTHROPIC_API_KEY) is not actually required for a clean run with the configured persona — consider either dropping the suppression or explicitly setting persona: auditor if you want that audit enforced.

Extended reasoning...

What's happening

The PR adds # zizmor: ignore[secrets-outside-env] to .github/workflows/claude.yml:39 and the PR description says this is needed to silence "the one remaining warning" so the new zizmor job is green from the start. The in-thread discussion likewise treats creating a GitHub environment for ANTHROPIC_API_KEY as a tracked follow-up that would let this suppression be removed.

But the secrets-outside-env audit is gated behind zizmor's auditor persona. The new zizmor.yml workflow uses zizmorcore/zizmor-action@v0.5.6 with no persona: input, which means the action runs with its default — the regular persona, the same as a bare uvx zizmor invocation. Under regular (and even under the stricter pedantic), secrets-outside-env simply never fires.

Step-by-step proof (zizmor 1.25.2, the version pinned by zizmor-action v0.5.6)

  1. Check out this branch.
  2. uvx zizmor .github/workflows/ (regular persona, with the inline ignore) → No findings to report. Good job! (29 suppressed)
  3. Remove the # zizmor: ignore[secrets-outside-env] comment from claude.yml:39 and re-run uvx zizmor .github/workflows/ → identical: No findings to report. Good job! (29 suppressed). The suppression had no effect.
  4. uvx zizmor --persona pedantic .github/workflows/claude.yml (no ignore) → still no secrets-outside-env finding.
  5. Only uvx zizmor --persona auditor .github/workflows/claude.yml surfaces warning[secrets-outside-env] at line 39.

Why this matters

The suppression is dead annotation under the workflow's actual configuration. There's no functional impact on CI — the job stays green either way — but it does carry a misleading premise into the codebase and the PR record:

  • The PR description says the suppression is what makes the run clean. It isn't; the run is already clean under regular.
  • The in-thread agreement ("Suppressed inline for now; happy to follow up once the environment exists") tracks a follow-up — creating a GitHub environment so the suppression can be removed — that won't actually change zizmor's output. Whoever picks that up will do the repo-settings work, delete the comment, and observe nothing.

On the counter-argument that this is harmless future-proofing

It's true the comment becomes load-bearing if the team later switches to persona: auditor. But that's not what this PR sets up, and the PR text explicitly frames the suppression as required for the current configuration. A comment that documents an audit zizmor isn't running, framed as if it were, is exactly the kind of thing that costs the next reader time. If the team wants the auditor audit suite, set persona: auditor in zizmor.yml (in which case the suppression is correct and load-bearing). If not, drop the suppression to keep the annotations honest.

Suggested fix

Either:

# .github/workflows/claude.yml — remove the no-op annotation
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

or, if you actually want secrets-outside-env (and the rest of the auditor suite) enforced:

# .github/workflows/zizmor.yml
- name: Run zizmor 🌈
  uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
  with:
    persona: auditor

(Note: enabling auditor will surface several other findings beyond this one, so it's not a drop-in change.)

use_commit_signing: true
additional_permissions: |
actions: read
22 changes: 16 additions & 6 deletions .github/workflows/comment-on-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,16 @@ jobs:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
persist-credentials: false

- name: Get previous release
id: previous_release
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
CURRENT_TAG: ${{ github.event.release.tag_name }}
with:
script: |
const currentTag = '${{ github.event.release.tag_name }}';
const currentTag = process.env.CURRENT_TAG;

// Get all releases
const { data: releases } = await github.rest.repos.listReleases({
Expand Down Expand Up @@ -54,10 +57,13 @@ jobs:
- name: Get merged PRs between releases
id: get_prs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
CURRENT_TAG: ${{ github.event.release.tag_name }}
PREVIOUS_TAG_JSON: ${{ steps.previous_release.outputs.result }}
with:
script: |
const currentTag = '${{ github.event.release.tag_name }}';
const previousTag = ${{ steps.previous_release.outputs.result }};
const currentTag = process.env.CURRENT_TAG;
const previousTag = JSON.parse(process.env.PREVIOUS_TAG_JSON);

if (!previousTag) {
console.log('No previous release found, skipping');
Expand Down Expand Up @@ -104,11 +110,15 @@ jobs:

- name: Comment on PRs
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBERS_JSON: ${{ steps.get_prs.outputs.result }}
RELEASE_TAG: ${{ github.event.release.tag_name }}
RELEASE_URL: ${{ github.event.release.html_url }}
with:
script: |
const prNumbers = ${{ steps.get_prs.outputs.result }};
const releaseTag = '${{ github.event.release.tag_name }}';
const releaseUrl = '${{ github.event.release.html_url }}';
const prNumbers = JSON.parse(process.env.PR_NUMBERS_JSON);
const releaseTag = process.env.RELEASE_TAG;
const releaseUrl = process.env.RELEASE_URL;

const comment = `This pull request is included in [${releaseTag}](${releaseUrl})`;

Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/conformance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ jobs:
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
enable-cache: true
Expand All @@ -34,6 +36,8 @@ jobs:
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
enable-cache: true
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/deploy-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ jobs:

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/publish-pypi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,23 @@ on:
release:
types: [published]

permissions:
contents: read

jobs:
release-build:
name: Build distribution
runs-on: ubuntu-latest
needs: [checks]
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
Comment thread
claude[bot] marked this conversation as resolved.
with:
enable-cache: true
enable-cache: false
version: 0.9.5

- name: Set up Python 3.12
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
Expand Down Expand Up @@ -57,6 +59,8 @@ jobs:

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
Expand All @@ -83,6 +87,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/weekly-lockfile-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: GitHub Actions Security Analysis

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest

permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
Loading