Skip to content

[ci] harden GitHub Actions; add cargo-deny, CodeQL & workflow linting#197

Merged
pmatos merged 2 commits into
mainfrom
jsse/issue192
Jul 3, 2026
Merged

[ci] harden GitHub Actions; add cargo-deny, CodeQL & workflow linting#197
pmatos merged 2 commits into
mainfrom
jsse/issue192

Conversation

@pmatos

@pmatos pmatos commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

Addresses the GitHub Actions hardening + static-analysis portion of the SOTA DevX audit in #192. Config/CI-only and additive — no engine source is touched.

Hardening of existing workflows

  • Least-privilege permissions: contents: read on ci.yml + nightly-test262-coverage.yml (they previously inherited the repo default).
  • concurrency: cancel-in-progress on ci, semgrep, and claude-code-review so superseded pushes stop burning runners.
  • Pin every third-party action to a version tag (@v7, @stable, …); Dependabot's existing github-actions updater keeps them current on major bumps. zizmor's unpinned-uses audit is set to ref-pin in .github/zizmor.yml, so tag pins pass while a mutable-branch or unpinned ref still fails.
  • persist-credentials: false on read-only checkouts.

New static-analysis / supply-chain jobs

  • cargo-denydeny.toml (advisories / bans / licenses / sources) + a job that also runs weekly to catch newly disclosed RUSTSEC advisories. The license allow-list is exactly the permissive set currently in the crate graph; anything new fails by design for a manual decision.
  • CodeQL (Rust) — interprocedural dataflow/taint on push/PR + weekly.
  • actionlint + zizmor workflow-lint job; .github/zizmor.yml documents the accepted findings and the tag-pin policy.

Validated locally

  • actionlint — clean.
  • zizmor (online and offline) — no findings.
  • cargo deny check advisories bans licenses sources — all ok.
  • No .rs changed, so fmt/clippy/build/tests are unaffected.

Deferred to follow-ups

These were intentionally kept out — they need a structural change or alter an existing green step and shouldn't be shipped without validation:

Part of #192 (kept open until the follow-ups land).

Test plan

  • workflow-lint job green (actionlint + zizmor)
  • cargo-deny job green
  • CodeQL job green (autobuild + analyze)
  • existing CI + Semgrep jobs still green

…#192)

Addresses part of #192 (SOTA DevX audit). Config/CI-only and additive; no
engine source is touched.

Hardening of existing workflows:
- Least-privilege `permissions: contents: read` on ci + nightly (they
  previously inherited the repo default).
- `concurrency: cancel-in-progress` on ci, semgrep, and claude-code-review so
  superseded pushes stop burning runners.
- SHA-pin every third-party action (with `# vX` comments; Dependabot keeps them
  fresh) — closes the moved-tag supply-chain risk on the secret-holding Claude
  workflows.
- `persist-credentials: false` on read-only checkouts.

New static-analysis / supply-chain jobs:
- cargo-deny: deny.toml (advisories/bans/licenses/sources) + a job that also
  runs weekly to catch newly disclosed RUSTSEC advisories.
- CodeQL (Rust) dataflow analysis on push/PR + weekly.
- actionlint + zizmor workflow-lint job; .github/zizmor.yml documents the two
  deliberately accepted findings.

Validated locally: actionlint clean, zizmor clean (online + offline),
cargo-deny advisories/bans/licenses/sources all ok.

Remaining audit items tracked as follow-ups: cargo-fuzz (needs a lib target +
differential harness), Miri over the unsafe-adjacent modules, cargo-nextest,
the clippy PostToolUse hook, and migrating semgrep off its archived action.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Prefer readable version tags (@v7, @stable, ...) over opaque commit SHAs;
Dependabot's github-actions updater keeps them current on major bumps.

zizmor's unpinned-uses audit requires a hash pin under its default blanket
policy, so relax it to `ref-pin` in .github/zizmor.yml — tag pins now pass
while a mutable-branch or unpinned ref still fails.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aedaebe5eb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/zizmor.yml
unpinned-uses:
config:
policies:
"*": ref-pin

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep branch-pinned actions from passing the audit

With this catch-all policy, zizmor's unpinned-uses audit no longer enforces SHA pins for any action; the audit docs define ref-pin as allowing a symbolic or SHA reference, so branch refs pass too. In the workflows I checked, dtolnay/rust-toolchain@stable and taiki-e/install-action@cargo-llvm-cov are non-version symbolic refs, so the new workflow-lint job will green-light mutable action code even though the comment says mutable branches still fail. Keep the default hash-pin policy for non-version refs or add specific hash-pin rules/ignores.

Useful? React with 👍 / 👎.

@pmatos pmatos merged commit 7a4c5e2 into main Jul 3, 2026
10 checks passed
@pmatos pmatos deleted the jsse/issue192 branch July 3, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants