Skip to content

[Maintenance] CI/CD: GitHub Actions workflow security audit (zizmor / actionlint) #185

Description

@Chris-Wolfgang

Scope

CodeQL (S1) and SAST tools scan source code. They don't inspect the GitHub Actions YAML itself for workflow-level vulnerabilities: untrusted-input injection into run: blocks, missing or overly-permissive permissions: blocks, secrets leaking via expression-context expansion, third-party actions not pinned by SHA.

The deferred work is to run zizmor or actionlint (ideally both — they cover different rule sets) on every PR.

Acceptance criteria

  • pr.yaml (or a dedicated workflow-security.yaml) runs zizmor and actionlint on every PR.
  • Findings are reported as PR annotations.
  • A documented baseline of accepted suppressions (with reason per suppression) lives in .zizmor.yml / actionlint.yaml.
  • The check fails the PR if a new high-severity finding is introduced.

Notes

Metadata

Metadata

Assignees

No one assigned

    Labels

    maintenance - CI/CDMaintenance: Docker, CI workflow, build/publish pipelinemaintenance-taskA Maintenance sub-issue — actionable improvement workthorough-reviewDeferred deep-review tier — work on canonical Tier-1 issues first

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions