[ci] harden GitHub Actions; add cargo-deny, CodeQL & workflow linting#197
Conversation
…#192) Addresses part of #192 (SOTA DevX audit). Config/CI-only and additive; no engine source is touched. Hardening of existing workflows: - Least-privilege `permissions: contents: read` on ci + nightly (they previously inherited the repo default). - `concurrency: cancel-in-progress` on ci, semgrep, and claude-code-review so superseded pushes stop burning runners. - SHA-pin every third-party action (with `# vX` comments; Dependabot keeps them fresh) — closes the moved-tag supply-chain risk on the secret-holding Claude workflows. - `persist-credentials: false` on read-only checkouts. New static-analysis / supply-chain jobs: - cargo-deny: deny.toml (advisories/bans/licenses/sources) + a job that also runs weekly to catch newly disclosed RUSTSEC advisories. - CodeQL (Rust) dataflow analysis on push/PR + weekly. - actionlint + zizmor workflow-lint job; .github/zizmor.yml documents the two deliberately accepted findings. Validated locally: actionlint clean, zizmor clean (online + offline), cargo-deny advisories/bans/licenses/sources all ok. Remaining audit items tracked as follow-ups: cargo-fuzz (needs a lib target + differential harness), Miri over the unsafe-adjacent modules, cargo-nextest, the clippy PostToolUse hook, and migrating semgrep off its archived action.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Prefer readable version tags (@v7, @stable, ...) over opaque commit SHAs; Dependabot's github-actions updater keeps them current on major bumps. zizmor's unpinned-uses audit requires a hash pin under its default blanket policy, so relax it to `ref-pin` in .github/zizmor.yml — tag pins now pass while a mutable-branch or unpinned ref still fails.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: aedaebe5eb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| unpinned-uses: | ||
| config: | ||
| policies: | ||
| "*": ref-pin |
There was a problem hiding this comment.
Keep branch-pinned actions from passing the audit
With this catch-all policy, zizmor's unpinned-uses audit no longer enforces SHA pins for any action; the audit docs define ref-pin as allowing a symbolic or SHA reference, so branch refs pass too. In the workflows I checked, dtolnay/rust-toolchain@stable and taiki-e/install-action@cargo-llvm-cov are non-version symbolic refs, so the new workflow-lint job will green-light mutable action code even though the comment says mutable branches still fail. Keep the default hash-pin policy for non-version refs or add specific hash-pin rules/ignores.
Useful? React with 👍 / 👎.
Summary
Addresses the GitHub Actions hardening + static-analysis portion of the SOTA DevX audit in #192. Config/CI-only and additive — no engine source is touched.
Hardening of existing workflows
permissions: contents: readonci.yml+nightly-test262-coverage.yml(they previously inherited the repo default).concurrency: cancel-in-progressonci,semgrep, andclaude-code-reviewso superseded pushes stop burning runners.@v7,@stable, …); Dependabot's existinggithub-actionsupdater keeps them current on major bumps. zizmor'sunpinned-usesaudit is set toref-pinin.github/zizmor.yml, so tag pins pass while a mutable-branch or unpinned ref still fails.persist-credentials: falseon read-only checkouts.New static-analysis / supply-chain jobs
deny.toml(advisories / bans / licenses / sources) + a job that also runs weekly to catch newly disclosed RUSTSEC advisories. The license allow-list is exactly the permissive set currently in the crate graph; anything new fails by design for a manual decision..github/zizmor.ymldocuments the accepted findings and the tag-pin policy.Validated locally
actionlint— clean.zizmor(online and offline) — no findings.cargo deny check advisories bans licenses sources— allok..rschanged, so fmt/clippy/build/tests are unaffected.Deferred to follow-ups
These were intentionally kept out — they need a structural change or alter an existing green step and shouldn't be shipped without validation:
[lib]target + differential-vs-node harness + fuzzing skill)Part of #192 (kept open until the follow-ups land).
Test plan
workflow-lintjob green (actionlint + zizmor)cargo-denyjob greenCodeQLjob green (autobuild + analyze)CI+Semgrepjobs still green