Skip to content

CI security gates: zizmor plus review-component checks #99

Description

@taras

Problem

Several security properties are currently conventions with no mechanical
enforcement: actions pinned to commit SHAs, no pull_request_target, no
secrets assigned to eval bindings in review components, downloaded binaries
checksum-verified (EnsureOxlint style).

Proposal

Add CI gates plus the matching agent rules:

  • Run zizmor over .github/workflows/ (unpinned actions,
    pull_request_target, injection patterns, missing permissions).
  • Custom checks zizmor does not cover: fail when an eval block under
    .reviews/ or core/components/ assigns process.env.<SECRET> to a
    binding, and when a component downloads a binary without an adjacent sha256
    verification.
  • Add the corresponding security rules to AGENTS.md so agents follow the
    conventions the gates enforce.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions