Skip to content

Remediate release-tools' own workflow security findings (zizmor) #30

Description

@mabry1985

The fleet workflow-security-lint (#29) surfaced pre-existing findings in release-tools' own workflows when first run. These need fixing with the release pipeline testable (tauri-release.yml is release-critical), so they're split out of the tooling PR. Once cleared, wire a self-lint caller so release-tools self-complies.

Findings (zizmor v1.25.2, --min-severity=medium)

error[template-injection] — the CWE-94 class (#3815), fix first:

  • tauri-release.yml:134run: ${{ inputs.pre-build-command }} (by-design "run input command"; move to env: + run: $VAR)
  • tauri-release.yml:251--base-url "${{ inputs.r2-public-base-url }}/..." → env indirection
  • tauri-release.yml:252--notes "${{ inputs.release-notes-text }}" → env indirection (release notes can contain shell metacharacters)

error[cache-poisoning] ×1, error[unpinned-uses] ×18 (SHA-pin actions; zizmor --fix auto-pins), warning[artipacked] ×2 (persist-credentials: false on checkout).

Approach

  • Fix the 3 template-injections with env-var indirection (same pattern as protoMaker#3812).
  • SHA-pin actions (run zizmor --fix); verify release.yml / tauri-release.yml still build+publish.
  • Add persist-credentials: false to checkouts.
  • Add a self-lint caller workflow (uses: ./.github/workflows/workflow-security-lint.yml) so release-tools self-complies.

Until then the canonical reusable workflow is workflow_call-only (ships for other repos; doesn't self-trigger).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions