The fleet workflow-security-lint (#29) surfaced pre-existing findings in release-tools' own workflows when first run. These need fixing with the release pipeline testable (tauri-release.yml is release-critical), so they're split out of the tooling PR. Once cleared, wire a self-lint caller so release-tools self-complies.
Findings (zizmor v1.25.2, --min-severity=medium)
error[template-injection] — the CWE-94 class (#3815), fix first:
tauri-release.yml:134 — run: ${{ inputs.pre-build-command }} (by-design "run input command"; move to env: + run: $VAR)
tauri-release.yml:251 — --base-url "${{ inputs.r2-public-base-url }}/..." → env indirection
tauri-release.yml:252 — --notes "${{ inputs.release-notes-text }}" → env indirection (release notes can contain shell metacharacters)
error[cache-poisoning] ×1, error[unpinned-uses] ×18 (SHA-pin actions; zizmor --fix auto-pins), warning[artipacked] ×2 (persist-credentials: false on checkout).
Approach
- Fix the 3 template-injections with env-var indirection (same pattern as protoMaker#3812).
- SHA-pin actions (run
zizmor --fix); verify release.yml / tauri-release.yml still build+publish.
- Add
persist-credentials: false to checkouts.
- Add a self-lint caller workflow (
uses: ./.github/workflows/workflow-security-lint.yml) so release-tools self-complies.
Until then the canonical reusable workflow is workflow_call-only (ships for other repos; doesn't self-trigger).
The fleet workflow-security-lint (#29) surfaced pre-existing findings in release-tools' own workflows when first run. These need fixing with the release pipeline testable (tauri-release.yml is release-critical), so they're split out of the tooling PR. Once cleared, wire a self-lint caller so release-tools self-complies.
Findings (zizmor v1.25.2,
--min-severity=medium)error[template-injection] — the CWE-94 class (#3815), fix first:
tauri-release.yml:134—run: ${{ inputs.pre-build-command }}(by-design "run input command"; move toenv:+run: $VAR)tauri-release.yml:251—--base-url "${{ inputs.r2-public-base-url }}/..."→ env indirectiontauri-release.yml:252—--notes "${{ inputs.release-notes-text }}"→ env indirection (release notes can contain shell metacharacters)error[cache-poisoning] ×1, error[unpinned-uses] ×18 (SHA-pin actions;
zizmor --fixauto-pins), warning[artipacked] ×2 (persist-credentials: falseon checkout).Approach
zizmor --fix); verify release.yml / tauri-release.yml still build+publish.persist-credentials: falseto checkouts.uses: ./.github/workflows/workflow-security-lint.yml) so release-tools self-complies.Until then the canonical reusable workflow is
workflow_call-only (ships for other repos; doesn't self-trigger).