From 33987e9dd43acaef53f6e5354572cceb7edfa728 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 17:45:00 -0800 Subject: [PATCH 1/6] Add zizmor and frizbee CI checks Add caller workflows for zizmor (security scanning) and frizbee (action pinning verification). Fix zizmor findings where applicable and add suppression config for intentional patterns. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/frizbee.yml | 16 +++++++++++ .github/workflows/release.yml | 4 ++- .github/workflows/zizmor.yml | 16 +++++++++++ .github/zizmor.yml | 52 +++++++++++++++++++++++++++++++++++ 4 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/frizbee.yml create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml new file mode 100644 index 0000000..642f692 --- /dev/null +++ b/.github/workflows/frizbee.yml @@ -0,0 +1,16 @@ +name: Frizbee pinning check +on: + push: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + frizbee: + uses: smallstep/workflows/.github/workflows/frizbee.yml@main + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b3cafa1..5449bbf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,9 +31,11 @@ jobs: steps: - name: Is Pre-release id: is_prerelease + env: + REF: ${{ github.ref }} run: | set +e - echo ${{ github.ref }} | grep "\-rc.*" + echo "${REF}" | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..3270953 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,16 @@ +name: Zizmor security scan +on: + push: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + uses: smallstep/workflows/.github/workflows/zizmor.yml@main + secrets: inherit diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..f0da2f6 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,52 @@ +rules: + # Internal reusable workflows (smallstep/*@main) intentionally track + # the main branch for centralized CI management. Pinning to a SHA + # would defeat the purpose of the shared workflows repo. + unpinned-uses: + ignore: + - actionlint.yml:16 + - ci.yml:25 + - code-scan-cron.yml:7 + - dependabot-auto-merge.yml:10 + - frizbee.yml:15 + - release.yml:11 + - release.yml:80 + - release.yml:89 + - release.yml:103 + - release.yml:117 + - release.yml:131 + - triage.yml:19 + - zizmor.yml:15 + # Reusable workflow callers require `secrets: inherit` to pass + # credentials needed by the shared workflows (e.g. SSH keys, PATs). + secrets-inherit: + ignore: + - actionlint.yml:16 + - ci.yml:25 + - dependabot-auto-merge.yml:10 + - frizbee.yml:15 + - release.yml:11 + - release.yml:80 + - release.yml:89 + - release.yml:103 + - release.yml:117 + - release.yml:131 + - triage.yml:19 + - zizmor.yml:15 + # These workflows either lack a top-level `permissions:` block + # (using GitHub defaults) or delegate to reusable workflows that + # declare their own minimal permissions internally. + excessive-permissions: + ignore: + - code-scan-cron.yml:6 + - release.yml:1 + - release.yml:10 + - release.yml:14 + # The triage workflow uses `pull_request_target` to label PRs + # from forks. This is safe because the called reusable workflow + # does not checkout or execute code from the PR. + dangerous-triggers: + ignore: + - triage.yml:3 + + From 26f4c62bc2324352739d50ba696a1da7bac7558b Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 17:54:48 -0800 Subject: [PATCH 2/6] Add explicit permissions blocks, remove excessive-permissions ignores Co-Authored-By: Claude Opus 4.6 --- .github/workflows/code-scan-cron.yml | 5 +++++ .github/workflows/release.yml | 5 +++++ .github/zizmor.yml | 9 --------- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml index e235db3..3905f02 100644 --- a/.github/workflows/code-scan-cron.yml +++ b/.github/workflows/code-scan-cron.yml @@ -2,6 +2,11 @@ on: schedule: - cron: '0 0 * * SUN' +permissions: + actions: read + contents: read + security-events: write + jobs: code-scan: uses: smallstep/workflows/.github/workflows/code-scan.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5449bbf..71beb9c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: read + jobs: ci: uses: smallstep/autocert/.github/workflows/ci.yml@master @@ -14,6 +17,8 @@ jobs: create_release: name: Create Release needs: ci + permissions: + contents: write runs-on: ubuntu-latest env: INIT_DOCKER_IMAGE: smallstep/autocert-init diff --git a/.github/zizmor.yml b/.github/zizmor.yml index f0da2f6..10c5202 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -33,15 +33,6 @@ rules: - release.yml:131 - triage.yml:19 - zizmor.yml:15 - # These workflows either lack a top-level `permissions:` block - # (using GitHub defaults) or delegate to reusable workflows that - # declare their own minimal permissions internally. - excessive-permissions: - ignore: - - code-scan-cron.yml:6 - - release.yml:1 - - release.yml:10 - - release.yml:14 # The triage workflow uses `pull_request_target` to label PRs # from forks. This is safe because the called reusable workflow # does not checkout or execute code from the PR. From 882df071da8824dfdc96b5243b646db3ef15d532 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:02:27 -0800 Subject: [PATCH 3/6] Replace zizmor line-number ignores with policies Use unpinned-uses config.policies with org-level wildcard and secrets-inherit disable instead of brittle per-line ignores that break whenever workflow files change. Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 43 +++++-------------------------------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 10c5202..b8ff071 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,43 +1,10 @@ rules: - # Internal reusable workflows (smallstep/*@main) intentionally track - # the main branch for centralized CI management. Pinning to a SHA - # would defeat the purpose of the shared workflows repo. unpinned-uses: - ignore: - - actionlint.yml:16 - - ci.yml:25 - - code-scan-cron.yml:7 - - dependabot-auto-merge.yml:10 - - frizbee.yml:15 - - release.yml:11 - - release.yml:80 - - release.yml:89 - - release.yml:103 - - release.yml:117 - - release.yml:131 - - triage.yml:19 - - zizmor.yml:15 - # Reusable workflow callers require `secrets: inherit` to pass - # credentials needed by the shared workflows (e.g. SSH keys, PATs). + config: + policies: + "smallstep/*": ref-pin secrets-inherit: - ignore: - - actionlint.yml:16 - - ci.yml:25 - - dependabot-auto-merge.yml:10 - - frizbee.yml:15 - - release.yml:11 - - release.yml:80 - - release.yml:89 - - release.yml:103 - - release.yml:117 - - release.yml:131 - - triage.yml:19 - - zizmor.yml:15 - # The triage workflow uses `pull_request_target` to label PRs - # from forks. This is safe because the called reusable workflow - # does not checkout or execute code from the PR. + disable: true dangerous-triggers: ignore: - - triage.yml:3 - - + - triage.yml From 6bd507a1fcc68e908348c565b5fbf349194672aa Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:28:45 -0800 Subject: [PATCH 4/6] Disable ref-confusion audit The ref-confusion audit crashes when workflows reference private repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN lacks cross-repo access. Disable until zizmor supports scoping this audit or we provide a broader token. Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index b8ff071..92a6146 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -5,6 +5,8 @@ rules: "smallstep/*": ref-pin secrets-inherit: disable: true + ref-confusion: + disable: true dangerous-triggers: ignore: - triage.yml From b980063ec99483372d453c859f28a44462dd82b3 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:42:56 -0800 Subject: [PATCH 5/6] Add security-events: write to zizmor caller workflow The caller workflow's permissions are the ceiling for reusable workflows. The zizmor-action needs security-events: write to upload SARIF results to GitHub Advanced Security. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 3270953..0057146 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -9,6 +9,7 @@ concurrency: permissions: contents: read + security-events: write jobs: zizmor: From 4a69690bbba6178c60b2ff9cd06a511996975d9d Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 19:52:21 -0800 Subject: [PATCH 6/6] ci: Replace separate actionlint/zizmor/frizbee with actionci.yml Consolidate the three separate workflow files into a single actionci.yml that calls the shared workflow from smallstep/workflows. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/actionci.yml | 22 ++++++++++++++++++++++ .github/workflows/actionlint.yml | 17 ----------------- .github/workflows/frizbee.yml | 16 ---------------- .github/workflows/zizmor.yml | 17 ----------------- 4 files changed, 22 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/actionci.yml delete mode 100644 .github/workflows/actionlint.yml delete mode 100644 .github/workflows/frizbee.yml delete mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml new file mode 100644 index 0000000..81a6873 --- /dev/null +++ b/.github/workflows/actionci.yml @@ -0,0 +1,22 @@ +name: Action CI + +on: + push: + tags-ignore: + - 'v*' + branches: + - "master" + pull_request: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + actionci: + permissions: + contents: read + security-events: write + uses: smallstep/workflows/.github/workflows/actionci.yml@main + secrets: inherit diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index 8e9248e..0000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Lint GitHub Actions workflows -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: write - pull-requests: write - -jobs: - actionlint: - uses: smallstep/workflows/.github/workflows/actionlint.yml@main - secrets: inherit diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml deleted file mode 100644 index 642f692..0000000 --- a/.github/workflows/frizbee.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Frizbee pinning check -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - frizbee: - uses: smallstep/workflows/.github/workflows/frizbee.yml@main - secrets: inherit diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml deleted file mode 100644 index 0057146..0000000 --- a/.github/workflows/zizmor.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Zizmor security scan -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: read - security-events: write - -jobs: - zizmor: - uses: smallstep/workflows/.github/workflows/zizmor.yml@main - secrets: inherit