From 150a23c7c4a424200812ca9dacf51af0e4d7ac05 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 3 Mar 2026 16:14:29 -0800 Subject: [PATCH 1/4] Add actionci.yml Add caller workflow for actionci (actionlint + zizmor + frizbee). Add permissions blocks and zizmor suppression config. Additional fixes: - Fix template injection in release.yml Co-Authored-By: Claude Opus 4.6 --- .github/workflows/actionci.yml | 22 ++++++++++++++++++++++ .github/workflows/ci.yml | 7 +++++++ .github/workflows/code-scan-cron.yml | 5 +++++ .github/workflows/release.yml | 9 ++++++++- .github/zizmor.yml | 9 +++++++++ 5 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/actionci.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml new file mode 100644 index 0000000..6086cd4 --- /dev/null +++ b/.github/workflows/actionci.yml @@ -0,0 +1,22 @@ +name: Action CI + +on: + push: + tags-ignore: + - 'v*' + branches: + - "main" + pull_request: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + actionci: + permissions: + contents: read + security-events: write + uses: smallstep/workflows/.github/workflows/actionci.yml@main + secrets: inherit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9df2103..39dfad7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: ci: + permissions: + actions: read + contents: read + security-events: write uses: smallstep/workflows/.github/workflows/goCI.yml@main with: only-latest-golang: true diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml index d42e504..d4791d7 100644 --- a/.github/workflows/code-scan-cron.yml +++ b/.github/workflows/code-scan-cron.yml @@ -2,6 +2,11 @@ on: schedule: - cron: '0 0 * * SUN' +permissions: + actions: read + contents: read + security-events: write + jobs: code-scan: uses: smallstep/workflows/.github/workflows/code-scan.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f7d7780..c650c07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: read + jobs: ci: uses: smallstep/sequel/.github/workflows/ci.yml@main @@ -14,13 +17,17 @@ jobs: create_release: name: Create Release needs: ci + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Is Pre-release id: is_prerelease + env: + REF: ${{ github.ref }} run: | set +e - echo ${{ github.ref }} | grep "\-rc.*" + echo "${REF}" | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..e4f4fe8 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + unpinned-uses: + config: + policies: + "smallstep/*": ref-pin + secrets-inherit: + disable: true + ref-confusion: + disable: true From aac928eb6bbc17ed826ad8bec01204b2592e0460 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 5 Mar 2026 11:00:44 -0800 Subject: [PATCH 2/4] Suppress dependabot-cooldown in zizmor config Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index e4f4fe8..55abe1f 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -7,3 +7,5 @@ rules: disable: true ref-confusion: disable: true + dependabot-cooldown: + disable: true From bb74a4baa5a3b249b96806323ea9b5bef1b53dac Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 5 Mar 2026 11:27:55 -0800 Subject: [PATCH 3/4] Fix zizmor errors: pin actions, fix bot-conditions, deduplicate permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Pin unpinned actions to SHA digests via frizbee - Fix spoofable bot actor checks (github.actor → github.event.pull_request.user.login) - Remove duplicate permissions blocks - Suppress low-confidence cache-poisoning findings - Pin postgres container image Co-Authored-By: Claude Opus 4.6 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c650c07..d051d5a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,7 +33,7 @@ jobs: echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 6f915983f202e2d26507500fb46bc2aa931ed9eb Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 5 Mar 2026 14:05:52 -0800 Subject: [PATCH 4/4] Fix zizmor warnings: suppress archived-uses, add permissions blocks Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 55abe1f..3a14046 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -7,5 +7,8 @@ rules: disable: true ref-confusion: disable: true + archived-uses: + ignore: + - release.yml dependabot-cooldown: disable: true