From 0da8e1f4a9ded922c149c81e4119b4ad4163e1ab Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Wed, 20 May 2026 22:00:39 +0200 Subject: [PATCH 1/5] Remove magic-nix-cache from release workflow Particularly for building release binaries, it may be worth skipping caches and build everything from scratch. --- .github/workflows/release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ea8ee58..6be9ab2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,6 @@ jobs: - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11 - run: nix develop --command make crossbuild_mac - run: nix develop --command make crossbuild_mac_bundles - name: 'Upload Artifacts' @@ -45,7 +44,6 @@ jobs: - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11 - run: nix develop --command make crossbuild - name: 'Upload Artifacts' id: upload From db4275801bffce28e2b6301c8b04ae7e5a1da4f5 Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Wed, 20 May 2026 22:24:25 +0200 Subject: [PATCH 2/5] Default permissions to read and only heighten where needed In the release workflow, only the step creating the release needs content write permissions. The lowest level at which permissions can be set is per job, not per step. --- .github/workflows/release.yml | 5 +++-- .github/workflows/test.yml | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6be9ab2..cfed0fb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,7 @@ on: - "[0-9]+.[0-9]+.[0-9]+*" permissions: - contents: write - + contents: read jobs: build-macos: @@ -55,6 +54,8 @@ jobs: release: needs: [build-macos, build-others] runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78ccaef..4ef6e22 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: Build and test +permissions: + contents: read + on: pull_request: push: From 36449b107eef396998e14d1ef3ea3cf2ae34c7db Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Wed, 20 May 2026 22:26:38 +0200 Subject: [PATCH 3/5] Use env variables instead of string interpolation Flagged by zizmor, vulnerable to including maliciously crafted branch names in commands otherwise. --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cfed0fb..6ae48fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,8 +16,8 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - run: git fetch --tags --force origin ${{ github.ref }} - - run: git checkout ${{ github.ref }} + - run: git fetch --tags --force origin ${GITHUB_REF} + - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: @@ -37,8 +37,8 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - run: git fetch --tags --force origin ${{ github.ref }} - - run: git checkout ${{ github.ref }} + - run: git fetch --tags --force origin ${GITHUB_REF} + - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: From 603dbf764e4895d06b50be411acc58b016ad1cd9 Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Wed, 20 May 2026 22:28:34 +0200 Subject: [PATCH 4/5] Override default to not persist creds in actions/checkout Flagged by zizmor. --- .github/workflows/release.yml | 3 +++ .github/workflows/test.yml | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6ae48fd..40186e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: false - run: git fetch --tags --force origin ${GITHUB_REF} - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD @@ -37,6 +38,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: false - run: git fetch --tags --force origin ${GITHUB_REF} - run: git checkout ${GITHUB_REF} - run: git describe --always HEAD @@ -61,6 +63,7 @@ jobs: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4ef6e22..70e86d4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} @@ -24,6 +26,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} @@ -34,6 +38,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} From 750ff431bb4427e9b2cb22efcd216784800bdf4f Mon Sep 17 00:00:00 2001 From: Johannes Emerich Date: Wed, 20 May 2026 22:35:22 +0200 Subject: [PATCH 5/5] Add zizmor GH Actions analysis workflow --- .github/workflows/zizmor.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..2a9919a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,21 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6