Skip to content

Various CI improvements suggested by zizmor#2139

Open
bjorn3 wants to merge 12 commits intopendulum-project:mainfrom
bjorn3:safer_ci
Open

Various CI improvements suggested by zizmor#2139
bjorn3 wants to merge 12 commits intopendulum-project:mainfrom
bjorn3:safer_ci

Conversation

@bjorn3
Copy link

@bjorn3 bjorn3 commented Mar 3, 2026

https://zizmor.sh/ is a static analysis tool for github actions. @hashcatHitman suggested using this.

bjorn3 added 12 commits March 3, 2026 14:18
@bjorn3
Use the least amount of privileges possible for each CI workflow
3003896 
* A bunch of explicit read permissions are removed as they are implicit
  for public repos.
* add-prs-to-project no longer has write permissions
* docs no longer has write permissions during the build step, only
  during the deploy step.
@bjorn3
Remove unnecessary docker workflow trigger
fdc299e
@bjorn3
Explain why add-prs-to-project is safe
b32d9f9
@bjorn3
Remove cache from the packaging workflow
0c92f6d 
This prevents any potential cache poisoning. The actual build already
wasn't cached and likely takes much longer than downloading packages.
@bjorn3
Use gh cli for commit verified check
210c9b9 
This avoids what I believe to be a false positive from zizmor about
github.api_url being potentially attacker controlled.
@bjorn3
Use gh cli for creating draft release
1450cf7 
This avoids depending on an external action.
@bjorn3
Add zizmor config
df59948
@bjorn3
Ignore template-injection that only a maintainer can do
3fa4c15
@bjorn3
Use persist-credentials: false
c89daf4
@bjorn3
Use shell expansion for RELEASE_VERSION
01a85d6 
This fixes a zizmor complaint about template-injection.
@bjorn3
Add dependency update cooldown
11f0d80
@bjorn3
Run zizmor on CI
98365b3
davidv1992
davidv1992 requested changes Mar 4, 2026
View reviewed changes
.github/workflows/docker.yaml
packages: write

on:
workflow_call: {}
Copy link
Member

@davidv1992 davidv1992 Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rnijveld I think we dont use this, but am not a 100% sure.

.github/workflows/packaging.yaml
- i686-unknown-linux-gnu
steps:
- name: Setup packaging tools for cross compiled artifacts
uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
Copy link
Member

@davidv1992 davidv1992 Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rnijveld was there a specific reason we used caching here?

.github/workflows/packaging.yaml
test "$release_notes_version" == "${release_version}"
echo "$release_notes_body" > release_notes.md

- name: Create release
Copy link
Member

@davidv1992 davidv1992 Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should keep the original title.

Suggested change
- name: Create release
- name: Create a draft release

@github-advanced-security
Copy link

github-advanced-security bot commented Mar 5, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@codecov
Copy link

codecov bot commented Mar 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.54%. Comparing base (1df0cc9) to head (98365b3).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2139      +/-   ##
==========================================
- Coverage   83.57%   83.54%   -0.04%     
==========================================
  Files          71       71              
  Lines       20007    20007              
==========================================
- Hits        16721    16714       -7     
- Misses       3286     3293       +7
Flag Coverage Δ
fuzz-cookie_parsing_sound 0.40% <ø> (ø)
fuzz-duration_from_float 0.27% <ø> (ø)
fuzz-encrypted_client_parsing 6.50% <ø> (-0.99%) ⬇️
fuzz-encrypted_server_parsing 10.30% <ø> (+0.06%) ⬆️
fuzz-handle 11.91% <ø> (-2.16%) ⬇️
fuzz-ipfilter 2.54% <ø> (ø)
fuzz-key_exchange_request_parsing 3.88% <ø> (-1.26%) ⬇️
fuzz-key_exchange_response_parsing 3.74% <ø> (-0.04%) ⬇️
fuzz-packet_keyset 5.69% <ø> (-0.13%) ⬇️
fuzz-packet_parsing_sound 8.06% <ø> (-0.12%) ⬇️
fuzz-record_encode_decode 4.51% <ø> (ø)
test-aarch64-apple-darwin 83.31% <ø> (ø)
test-x86_64-unknown-linux-gnu 83.22% <ø> (ø)
test-x86_64-unknown-linux-musl 83.22% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidv1992 davidv1992 davidv1992 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjorn3 @davidv1992