From 13417a477dccda7c40a2bd2049e164d0dd438c70 Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:28:36 +0100 Subject: [PATCH 1/7] ci: add GitHub Actions security linting with zizmor - Add zizmor 0.5 to mise.toml for security vulnerability scanning - Add zizmor job to lint-workflows workflow - Update pre-push hook to check both syntax (actionlint) and security (zizmor) - Detects secrets, excessive permissions, dangerous expressions --- .githooks/pre-push | 6 +++--- .github/workflows/lint-workflows.yml | 12 ++++++++++++ .vscode/settings.json | 3 ++- README.md | 2 +- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.githooks/pre-push b/.githooks/pre-push index 32c2749..8831d07 100755 --- a/.githooks/pre-push +++ b/.githooks/pre-push @@ -9,16 +9,16 @@ changed_workflows=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\ if [ -n "$changed_workflows" ]; then echo "🔍 Linting GitHub Actions workflows..." + # Check actionlint if ! command -v actionlint &> /dev/null; then echo "⚠ actionlint not found. Installing via mise..." mise install actionlint fi - # Lint the changed workflows if actionlint -oneline $changed_workflows; then - echo "✅ Workflows lint passed!" + echo "✅ Actionlint passed!" else - echo "❌ Workflow lint failed. Fix the errors above and try again." + echo "❌ Actionlint failed. Fix the errors above and try again." exit 1 fi else diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index e945cea..1b1bfdb 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -8,6 +8,10 @@ on: paths: - '.github/workflows/**' +permissions: + contents: read + security-events: write + jobs: actionlint: runs-on: ubuntu-latest @@ -16,3 +20,11 @@ jobs: - name: Run actionlint uses: raven-actions/actionlint@v2 + + zizmor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run zizmor security check + uses: zizmorcore/zizmor-action@v0.5.2 diff --git a/.vscode/settings.json b/.vscode/settings.json index 98dbaf7..1727f0b 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -3,6 +3,7 @@ "git add": true, "git commit": true, "gh": true, - "git push": true + "git push": true, + "mise": true } } diff --git a/README.md b/README.md index c982f54..f7f4ee9 100644 --- a/README.md +++ b/README.md @@ -16,4 +16,4 @@ Cette commande installe toutes les dĂ©pendances du projet dĂ©finies dans `mise.t .githooks/install.sh ``` -Cela configure les git hooks locaux pour automatiser les vĂ©rifications avant les commits/pushes. \ No newline at end of file +Cela configure les git hooks locaux pour automatiser les vĂ©rifications avant les commits/pushes. From cf0106842de6de913354be1409b2b1e010370b0a Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:46:16 +0100 Subject: [PATCH 2/7] fix: pin actionlint action to specific commit SHA for security compliance --- .github/workflows/lint-workflows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 1b1bfdb..58c4f78 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@v4 - name: Run actionlint - uses: raven-actions/actionlint@v2 + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 zizmor: runs-on: ubuntu-latest From dcd8f35acb020db426cffc2c67637b4a588a8c62 Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:49:33 +0100 Subject: [PATCH 3/7] fix: pin zizmor-action to specific commit SHA for security compliance --- .github/workflows/lint-workflows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 58c4f78..658aa94 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -27,4 +27,4 @@ jobs: - uses: actions/checkout@v4 - name: Run zizmor security check - uses: zizmorcore/zizmor-action@v0.5.2 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 From 64db39fa5720ff31d0b6e74de110107c229b7c6c Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:51:00 +0100 Subject: [PATCH 4/7] fix: pin actions/checkout to specific commit SHA for security compliance --- .github/workflows/lint-workflows.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 658aa94..16fe7de 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -16,7 +16,7 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Run actionlint uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 @@ -24,7 +24,7 @@ jobs: zizmor: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 - name: Run zizmor security check uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 From 8402e03ff6d060873bb835acf259e2b9e7e59672 Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:51:18 +0100 Subject: [PATCH 5/7] fix: disable credential persistence in checkout to prevent artifact leaks --- .github/workflows/lint-workflows.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 16fe7de..5cb20b4 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: Run actionlint uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 @@ -25,6 +27,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false - name: Run zizmor security check uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 From d549411420418be30ba46c7fac681b5d56b80177 Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 17:51:53 +0100 Subject: [PATCH 6/7] fix: apply principle of least privilege with job-level permissions --- .github/workflows/lint-workflows.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index 5cb20b4..ce0cc50 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -8,12 +8,10 @@ on: paths: - '.github/workflows/**' -permissions: - contents: read - security-events: write - jobs: actionlint: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 @@ -24,6 +22,9 @@ jobs: uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 zizmor: + permissions: + contents: read + security-events: write runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 From af4399ad7127d9502d1e2fcd9a455f4f6e265141 Mon Sep 17 00:00:00 2001 From: nbrieussel Date: Sun, 22 Mar 2026 18:53:38 +0100 Subject: [PATCH 7/7] fix: update actions to latest versions and pin SHAs --- .github/workflows/lint-workflows.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index ce0cc50..a26567b 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -14,12 +14,12 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run actionlint - uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 + uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2 zizmor: permissions: @@ -27,9 +27,9 @@ jobs: security-events: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor security check - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2