80 lines
3.9 KiB
YAML
80 lines
3.9 KiB
YAML
# zizmor configuration — static analysis for GitHub Actions workflows.
|
|
#
|
|
# Docs: https://docs.zizmor.sh/configuration/
|
|
#
|
|
# This file lives at `.github/zizmor.yml` because zizmor auto-discovers
|
|
# it there. The companion workflow at `.github/workflows/security_zizmor.yml`
|
|
# runs zizmor in CI and fails the build on findings at the configured level.
|
|
#
|
|
# When a finding genuinely cannot be remediated (e.g. the action behavior
|
|
# is correct but tripped a check), add it under `rules:` with a clear
|
|
# justification comment — never blanket-suppress.
|
|
|
|
rules:
|
|
# `template-injection` flags ${{ }} expansions that put untrusted input
|
|
# (issue titles, PR titles, branch names, comment bodies) directly into
|
|
# `run:` scripts. The fix is always to route through `env:` and reference
|
|
# the env var inside the shell. We treat any new occurrence as a blocker.
|
|
template-injection:
|
|
ignore: []
|
|
|
|
# `dangerous-triggers` flags `pull_request_target` and similar triggers
|
|
# that run with secrets against fork-controlled refs. Anything new must
|
|
# be reviewed by a maintainer.
|
|
#
|
|
# Suppressions below were each reviewed by a maintainer; new additions
|
|
# must come with a comment explaining why the workflow is safe.
|
|
dangerous-triggers:
|
|
ignore:
|
|
# update-branch.yml: pull_request_target gated on `types: [labeled]`
|
|
# with a maintainer-applied "update-branch" label. The workflow uses
|
|
# the base-repo checkout (not the PR head), so no fork-controlled
|
|
# code runs with the elevated token. This is the documented safe
|
|
# pattern for label-gated automation.
|
|
- update-branch.yml
|
|
# showcase_deploy.yml / showcase_capture-previews.yml: workflow_run
|
|
# triggered by the in-repo "Showcase: Build & Push" workflow. Only
|
|
# main-branch builds fire workflow_run, and the downstream workflows
|
|
# never check out PR-head code — they checkout the same trusted
|
|
# main-branch ref or use the head_branch of the triggering run
|
|
# (which is also main per the upstream filter).
|
|
- showcase_deploy.yml
|
|
- showcase_capture-previews.yml
|
|
# test_smoke-starter.yml: workflow_run triggered by the in-repo
|
|
# "publish / release" workflow. Listens to release completions; no
|
|
# fork-controlled refs reach this workflow.
|
|
- test_smoke-starter.yml
|
|
|
|
# `unpinned-uses` is satisfied because every `uses:` is SHA-pinned and
|
|
# Renovate keeps them current (see renovate.json → local>CopilotKit/renovate).
|
|
|
|
# `excessive-permissions` flags jobs that grant token scopes they don't
|
|
# need. We surface but don't auto-suppress — fixing requires per-job
|
|
# `permissions:` blocks that match the actual API calls in the job.
|
|
excessive-permissions:
|
|
ignore: []
|
|
|
|
# `artipacked` flags `actions/checkout` calls that leave the default
|
|
# GITHUB_TOKEN persisted in the local git config. Every other checkout
|
|
# in the repo sets `persist-credentials: false`. The suppressions below
|
|
# are the workflows that legitimately need the persisted token to push
|
|
# back to the repo (release tagging, docs sync, PR comment from
|
|
# pkg-pr-new). Each call site carries a `persist-credentials required:`
|
|
# comment immediately above it.
|
|
#
|
|
# static_quality.yml was removed: its format job now uses
|
|
# persist-credentials: false and injects credentials via insteadOf
|
|
# only before the push step.
|
|
artipacked:
|
|
ignore:
|
|
# Release workflows that push tags / branches via GITHUB_TOKEN.
|
|
# publish-release.yml is intentionally NOT suppressed: its build job
|
|
# now uses persist-credentials: false (the artifact it uploads would
|
|
# otherwise leak a workflow-scoped token through .git/config) and the
|
|
# publish job downloads the artifact and sets up its own git auth via
|
|
# `git config insteadOf`.
|
|
- prerelease.yml
|
|
# pkg-pr-new posts snapshot comments on the PR using the repo token
|
|
# — credentials must remain persisted for the action to authenticate.
|
|
- publish-commit.yml
|