chore: Harden workflows: least-privilege permissions + zizmor integration#1039
Merged
Conversation
Apply GitHub Actions security best practices to the action's own
workflows and integrate zizmor to catch regressions.
- Add explicit least-privilege `permissions:` to every workflow
(contents: read for read-only workflows; default-deny `{}` with
job-scoped grants for codeql, publish-immutable-actions and
update-config-files).
- Set `persist-credentials: false` on all checkout steps that don't
need the GITHUB_TOKEN afterwards.
- Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars
to avoid template injection.
- Pin the alpine container image (alpine:latest -> alpine:3.21).
- Add a zizmor CI workflow that uploads SARIF to code scanning, plus a
`.github/zizmor.yml` pinning policy (ref-pin for actions/* and
github/*, hash-pin for third-party actions).
zizmor now reports no findings (offline and online).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens this repository’s GitHub Actions workflows by enforcing least-privilege permissions, reducing token persistence, mitigating expression interpolation risks in run: blocks, pinning a previously-mutable container tag, and adding a zizmor workflow to continuously scan for workflow security regressions.
Changes:
- Add explicit least-privilege
permissions:across workflows (including top-level{}+ job-level overrides where needed). - Set
persist-credentials: falseonactions/checkoutwhere the token isn’t needed, and move${{ }}expansions out of inline shell scripts intoenv:variables. - Introduce zizmor configuration + a new workflow that runs zizmor and uploads SARIF to Code Scanning; pin
alpinefromlatestto3.21for the alpine e2e job.
Show a summary per file
| File | Description |
|---|---|
| .github/zizmor.yml | Defines zizmor pinning policy (ref-pin for first-party, hash-pin for third-party). |
| .github/workflows/zizmor.yml | Adds zizmor CI job to scan workflows and upload SARIF to code scanning. |
| .github/workflows/update-config-files.yml | Applies top-level {} permissions and grants minimal write permissions to the reusable workflow job. |
| .github/workflows/publish-immutable-actions.yml | Applies top-level {} permissions and disables checkout credential persistence. |
| .github/workflows/licensed.yml | Explicitly scopes workflow token to contents: read. |
| .github/workflows/e2e-versions.yml | Adds contents: read, disables credential persistence, pins alpine image, and avoids inline expression interpolation in run:. |
| .github/workflows/e2e-publishing.yml | Adds contents: read and disables checkout credential persistence across jobs. |
| .github/workflows/e2e-local-file.yml | Adds contents: read, disables checkout credential persistence, and avoids inline expression interpolation in run:. |
| .github/workflows/e2e-cache.yml | Adds contents: read and disables checkout credential persistence across jobs. |
| .github/workflows/e2e-cache-dependency-path.yml | Adds contents: read and disables checkout credential persistence across jobs. |
| .github/workflows/codeql-analysis.yml | Applies top-level {} permissions (job-level permissions already scoped). |
| .github/workflows/check-dist.yml | Explicitly scopes workflow token to contents: read. |
| .github/workflows/basic-validation.yml | Explicitly scopes workflow token to contents: read. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 13/13 changed files
- Comments generated: 1
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.
Indent `if:` to 8 spaces so it nests under the step alongside uses/with.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
brunoborges
added
github_actions
brunoborges
changed the title
gdams
previously approved these changes
Jun 23, 2026
gdams
approved these changes
Jun 23, 2026
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Jun 29, 2026
Bumps the github-actions group with 4 updates: [actions/setup-python](https://github.com/actions/setup-python), [actions/setup-java](https://github.com/actions/setup-java), [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [actions/setup-dotnet](https://github.com/actions/setup-dotnet). Updates `actions/setup-python` from 6.2.0 to 6.3.0 Release notes *Sourced from [actions/setup-python's releases](https://github.com/actions/setup-python/releases).* > v6.3.0 > ------ > > What's Changed > -------------- > > ### Enhancement > > * Add RHEL support and include Linux distro in cache keys by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-python#1323](https://redirect.github.com/actions/setup-python/pull/1323) > * Fix pip cache error handling on Windows by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-python#1040](https://redirect.github.com/actions/setup-python/pull/1040) > > ### Dependency update > > * Upgrade minimatch from 3.1.2 to 3.1.5 by [`@dependabot`](https://github.com/dependabot) in [actions/setup-python#1281](https://redirect.github.com/actions/setup-python/pull/1281) > * Upgrade actions dependencies by [`@gowridurgad`](https://github.com/gowridurgad) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-python#1303](https://redirect.github.com/actions/setup-python/pull/1303) > * Upgrade `@actions/cache` to 5.1.0, log cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-python#1324](https://redirect.github.com/actions/setup-python/pull/1324) > * Upgrade dependency versions and test workflow configuration by [`@HarithaVattikuti`](https://github.com/HarithaVattikuti) in [actions/setup-python#1322](https://redirect.github.com/actions/setup-python/pull/1322) > > ### Documentation > > * Update advanced-usage.md by [`@Dunky-Z`](https://github.com/Dunky-Z) in [actions/setup-python#811](https://redirect.github.com/actions/setup-python/pull/811) > > New Contributors > ---------------- > > * [`@gowridurgad`](https://github.com/gowridurgad) with [`@Copilot`](https://github.com/Copilot) made their first contribution in [actions/setup-python#1303](https://redirect.github.com/actions/setup-python/pull/1303) > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-python#1324](https://redirect.github.com/actions/setup-python/pull/1324) > * [`@Dunky-Z`](https://github.com/Dunky-Z) made their first contribution in [actions/setup-python#811](https://redirect.github.com/actions/setup-python/pull/811) > > **Full Changelog**: <actions/setup-python@v6...v6.3.0> Commits * [`ece7cb0`](actions/setup-python@ece7cb0) Fix pip cache error handling on Windows. ([#1040](https://redirect.github.com/actions/setup-python/issues/1040)) * [`1d18d7a`](actions/setup-python@1d18d7a) Update advanced-usage.md ([#811](https://redirect.github.com/actions/setup-python/issues/811)) * [`d2b357a`](actions/setup-python@d2b357a) Update dependency versions and test workflow configuration ([#1322](https://redirect.github.com/actions/setup-python/issues/1322)) * [`8f639b1`](actions/setup-python@8f639b1) Merge pull request [#1324](https://redirect.github.com/actions/setup-python/issues/1324) from jasongin/update-actions-cache-5.1.0 * [`6731c2b`](actions/setup-python@6731c2b) Resolve high-severity audit issues * [`0cb1a84`](actions/setup-python@0cb1a84) Add RHEL support and include Linux distro in cache keys ([#1323](https://redirect.github.com/actions/setup-python/issues/1323)) * [`dc6eab6`](actions/setup-python@dc6eab6) Update dist * [`6f4b74b`](actions/setup-python@6f4b74b) Strict equality * [`fa8bde1`](actions/setup-python@fa8bde1) Bump `@actions/cache` to 5.1.0, log cache write denied * [`c8813ba`](actions/setup-python@c8813ba) Upgrade [`@actions`](https://github.com/actions) dependencies and update licenses ([#1303](https://redirect.github.com/actions/setup-python/issues/1303)) * Additional commits viewable in [compare view](actions/setup-python@a309ff8...ece7cb0) Updates `actions/setup-java` from 5.3.0 to 5.4.0 Release notes *Sourced from [actions/setup-java's releases](https://github.com/actions/setup-java/releases).* > v5.4.0 > ------ > > What's Changed > -------------- > > * Bump `@typescript-eslint/parser` from 8.48.0 to 8.61.1 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1021](https://redirect.github.com/actions/setup-java/pull/1021) > * Fix codeql workflow permissions by [`@jsoref`](https://github.com/jsoref) in [actions/setup-java#993](https://redirect.github.com/actions/setup-java/pull/993) > * fix CodeQL permissions by [`@gdams`](https://github.com/gdams) in [actions/setup-java#1025](https://redirect.github.com/actions/setup-java/pull/1025) > * fix: reject non-semver candidate versions in isVersionSatisfies by [`@sproctor`](https://github.com/sproctor) in [actions/setup-java#1009](https://redirect.github.com/actions/setup-java/pull/1009) > * Bump `@actions/cache` to 5.1.0, handle cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-java#1026](https://redirect.github.com/actions/setup-java/pull/1026) > * Add Maven Wrapper cache feature by [`@mahabaleshwars`](https://github.com/mahabaleshwars) in [actions/setup-java#1027](https://redirect.github.com/actions/setup-java/pull/1027) > * Spelling by [`@jsoref`](https://github.com/jsoref) in [actions/setup-java#713](https://redirect.github.com/actions/setup-java/pull/713) > * add link to advanced configuration for JetBrains by [`@robstoll`](https://github.com/robstoll) in [actions/setup-java#850](https://redirect.github.com/actions/setup-java/pull/850) > * docs(action): fix missing required or default fields by [`@kranthipoturaju`](https://github.com/kranthipoturaju) in [actions/setup-java#1007](https://redirect.github.com/actions/setup-java/pull/1007) > * feat: add microsoft openjdk 17.0.18 by [`@al-kau`](https://github.com/al-kau) in [actions/setup-java#1002](https://redirect.github.com/actions/setup-java/pull/1002) > * Update README.md - use "alert syntax for Markdown" for notes by [`@mhoffrog`](https://github.com/mhoffrog) in [actions/setup-java#924](https://redirect.github.com/actions/setup-java/pull/924) > * Bump undici from 6.24.1 to 6.27.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1033](https://redirect.github.com/actions/setup-java/pull/1033) > * Update contributor guide with emoji for clarity by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1028](https://redirect.github.com/actions/setup-java/pull/1028) > * add javac problem matcher by [`@Trass3r`](https://github.com/Trass3r) in [actions/setup-java#562](https://redirect.github.com/actions/setup-java/pull/562) > * Clarify README version syntax and migration guidance by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1038](https://redirect.github.com/actions/setup-java/pull/1038) > * Update undici artifacts to 6.27.0 (license cache + dist) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1040](https://redirect.github.com/actions/setup-java/pull/1040) > * docs: enhance custom jdk file installation by [`@stephanabel`](https://github.com/stephanabel) in [actions/setup-java#996](https://redirect.github.com/actions/setup-java/pull/996) > * Templates for new Java distributions by [`@panticmilos`](https://github.com/panticmilos) in [actions/setup-java#429](https://redirect.github.com/actions/setup-java/pull/429) > * Bump actions/checkout from 6 to 7 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1032](https://redirect.github.com/actions/setup-java/pull/1032) > * Bump `@types/node` from 25.9.3 to 26.0.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1031](https://redirect.github.com/actions/setup-java/pull/1031) > * docs: replace non-existent HelloWorldApp references with java --version by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1043](https://redirect.github.com/actions/setup-java/pull/1043) > * docs: add JavaFX Maven project configuration instructions by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1044](https://redirect.github.com/actions/setup-java/pull/1044) > * docs: self-signed certificate / internal CA handling for GitHub Enterprise by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1050](https://redirect.github.com/actions/setup-java/pull/1050) > * docs: document importing an internal CA into the installed JDK (cacerts) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1051](https://redirect.github.com/actions/setup-java/pull/1051) > * chore: Harden workflows: least-privilege permissions + zizmor integration by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1039](https://redirect.github.com/actions/setup-java/pull/1039) > * dist: Add GraalVM Community distribution support by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1042](https://redirect.github.com/actions/setup-java/pull/1042) > * docs: note jdkfile approach for Early Access / unreleased JDK builds by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1058](https://redirect.github.com/actions/setup-java/pull/1058) > * dist: Apply Copilot review suggestions from PR [#1042](https://redirect.github.com/actions/setup-java/issues/1042) (GraalVM Community) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1059](https://redirect.github.com/actions/setup-java/pull/1059) > > New Contributors > ---------------- > > * [`@jsoref`](https://github.com/jsoref) made their first contribution in [actions/setup-java#993](https://redirect.github.com/actions/setup-java/pull/993) > * [`@sproctor`](https://github.com/sproctor) made their first contribution in [actions/setup-java#1009](https://redirect.github.com/actions/setup-java/pull/1009) > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-java#1026](https://redirect.github.com/actions/setup-java/pull/1026) > * [`@robstoll`](https://github.com/robstoll) made their first contribution in [actions/setup-java#850](https://redirect.github.com/actions/setup-java/pull/850) > * [`@kranthipoturaju`](https://github.com/kranthipoturaju) made their first contribution in [actions/setup-java#1007](https://redirect.github.com/actions/setup-java/pull/1007) > * [`@al-kau`](https://github.com/al-kau) made their first contribution in [actions/setup-java#1002](https://redirect.github.com/actions/setup-java/pull/1002) > * [`@mhoffrog`](https://github.com/mhoffrog) made their first contribution in [actions/setup-java#924](https://redirect.github.com/actions/setup-java/pull/924) > * [`@brunoborges`](https://github.com/brunoborges) made their first contribution in [actions/setup-java#1028](https://redirect.github.com/actions/setup-java/pull/1028) > * [`@Trass3r`](https://github.com/Trass3r) made their first contribution in [actions/setup-java#562](https://redirect.github.com/actions/setup-java/pull/562) > * [`@stephanabel`](https://github.com/stephanabel) made their first contribution in [actions/setup-java#996](https://redirect.github.com/actions/setup-java/pull/996) > > **Full Changelog**: <actions/setup-java@v5...v5.4.0> Commits * [`1bcf9fb`](actions/setup-java@1bcf9fb) dist: Address Copilot review suggestions from PR [#1042](https://redirect.github.com/actions/setup-java/issues/1042) (GraalVM Community) (#... * [`fa2c650`](actions/setup-java@fa2c650) docs: note jdkfile approach for Early Access / unreleased JDK builds ([#1058](https://redirect.github.com/actions/setup-java/issues/1058)) * [`1d56e31`](actions/setup-java@1d56e31) dist: Add GraalVM Community distribution support ([#1042](https://redirect.github.com/actions/setup-java/issues/1042)) * [`1d25252`](actions/setup-java@1d25252) chore: Harden workflows: least-privilege permissions + zizmor integration ([#1](https://redirect.github.com/actions/setup-java/issues/1)... * [`668c1ea`](actions/setup-java@668c1ea) docs: add post-install keytool import for the JDK cacerts trust store ([#1051](https://redirect.github.com/actions/setup-java/issues/1051)) * [`a9a46fb`](actions/setup-java@a9a46fb) docs: document self-signed certificate / internal CA handling for GitHub Ente... * [`5431e71`](actions/setup-java@5431e71) docs: add JavaFX Maven project configuration instructions ([#1044](https://redirect.github.com/actions/setup-java/issues/1044)) * [`4baa9b4`](actions/setup-java@4baa9b4) docs: replace non-existent HelloWorldApp references with java --version ([#1043](https://redirect.github.com/actions/setup-java/issues/1043)) * [`eab4b08`](actions/setup-java@eab4b08) Bump `@types/node` from 25.9.3 to 26.0.0 ([#1031](https://redirect.github.com/actions/setup-java/issues/1031)) * [`bf0c0e6`](actions/setup-java@bf0c0e6) Bump actions/checkout from 6 to 7 ([#1032](https://redirect.github.com/actions/setup-java/issues/1032)) * Additional commits viewable in [compare view](actions/setup-java@ad2b381...1bcf9fb) Updates `anthropics/claude-code-action` from 1.0.153 to 1.0.159 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.159 > -------- > > What's Changed > -------------- > > * fix: bound app token revocation cleanup by [`@tarunag10`](https://github.com/tarunag10) in [anthropics/claude-code-action#1437](https://redirect.github.com/anthropics/claude-code-action/pull/1437) > > New Contributors > ---------------- > > * [`@tarunag10`](https://github.com/tarunag10) made their first contribution in [anthropics/claude-code-action#1437](https://redirect.github.com/anthropics/claude-code-action/pull/1437) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.159> > > v1.0.158 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.158> > > v1.0.157 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.157> > > v1.0.156 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.156> > > v1.0.155 > -------- > > What's Changed > -------------- > > * fix: filter PR reviews and inline review comments to trigger time by [`@EffortlessSteven`](https://github.com/EffortlessSteven) in [anthropics/claude-code-action#1385](https://redirect.github.com/anthropics/claude-code-action/pull/1385) > * test: cover format-turns content-type fallbacks and system\_other handling by [`@farmer-data`](https://github.com/farmer-data) in [anthropics/claude-code-action#1421](https://redirect.github.com/anthropics/claude-code-action/pull/1421) > * fix: allow @ in branch names (valid per git-check-ref-format) by [`@bellalMohamed`](https://github.com/bellalMohamed) in [anthropics/claude-code-action#1411](https://redirect.github.com/anthropics/claude-code-action/pull/1411) > > New Contributors > ---------------- > > * [`@EffortlessSteven`](https://github.com/EffortlessSteven) made their first contribution in [anthropics/claude-code-action#1385](https://redirect.github.com/anthropics/claude-code-action/pull/1385) > * [`@farmer-data`](https://github.com/farmer-data) made their first contribution in [anthropics/claude-code-action#1421](https://redirect.github.com/anthropics/claude-code-action/pull/1421) > * [`@bellalMohamed`](https://github.com/bellalMohamed) made their first contribution in [anthropics/claude-code-action#1411](https://redirect.github.com/anthropics/claude-code-action/pull/1411) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.155> > > v1.0.154 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.154> Commits * [`a92e7c7`](anthropics/claude-code-action@a92e7c7) chore: bump Claude Code to 2.1.195 and Agent SDK to 0.3.195 * [`f8076dc`](anthropics/claude-code-action@f8076dc) fix: bound app token revocation cleanup ([#1437](https://redirect.github.com/anthropics/claude-code-action/issues/1437)) * [`5211368`](anthropics/claude-code-action@5211368) chore: bump Claude Code to 2.1.193 and Agent SDK to 0.3.193 * [`428971d`](anthropics/claude-code-action@428971d) chore: bump Claude Code to 2.1.191 and Agent SDK to 0.3.191 * [`74eedf1`](anthropics/claude-code-action@74eedf1) chore: bump Claude Code to 2.1.190 and Agent SDK to 0.3.190 * [`80b3182`](anthropics/claude-code-action@80b3182) chore: bump Claude Code to 2.1.187 and Agent SDK to 0.3.187 * [`360be9c`](anthropics/claude-code-action@360be9c) fix: allow @ in branch names (valid per git-check-ref-format) ([#1411](https://redirect.github.com/anthropics/claude-code-action/issues/1411)) * [`e452eb9`](anthropics/claude-code-action@e452eb9) test: cover format-turns content-type fallbacks and system\_other handling ([#1](https://redirect.github.com/anthropics/claude-code-action/issues/1)... * [`6b80630`](anthropics/claude-code-action@6b80630) fix: filter PR reviews and inline review comments to trigger time ([#1385](https://redirect.github.com/anthropics/claude-code-action/issues/1385)) * [`30544b6`](anthropics/claude-code-action@30544b6) chore: bump Claude Code to 2.1.186 and Agent SDK to 0.3.186 * See full diff in [compare view](anthropics/claude-code-action@2fee155...a92e7c7) Updates `actions/setup-dotnet` from 5.3.0 to 5.4.0 Release notes *Sourced from [actions/setup-dotnet's releases](https://github.com/actions/setup-dotnet/releases).* > v5.4.0 > ------ > > What's Changed > -------------- > > ### Enhancements > > * Improve global.json SDK version validation for rollForward by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-dotnet#742](https://redirect.github.com/actions/setup-dotnet/pull/742) > * Pin actions to commit SHAs in workflows by [`@priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-dotnet#744](https://redirect.github.com/actions/setup-dotnet/pull/744) > * Expand the CSC problem matcher to light up more errors on GitHub. by [`@StephenCleary`](https://github.com/StephenCleary) in [actions/setup-dotnet#717](https://redirect.github.com/actions/setup-dotnet/pull/717) > > ### Documentation > > * Docs(action): Explicitly mark all optional inputs with required: false by [`@kranthipoturaju`](https://github.com/kranthipoturaju) in [actions/setup-dotnet#737](https://redirect.github.com/actions/setup-dotnet/pull/737) > > ### Bug Fixes > > * Fix global.json creation command by [`@michal2612`](https://github.com/michal2612) in [actions/setup-dotnet#694](https://redirect.github.com/actions/setup-dotnet/pull/694) > > ### Dependency Updates > > * Upgrade `@actions/cache` to 5.1.0, log cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-dotnet#746](https://redirect.github.com/actions/setup-dotnet/pull/746) > > New Contributors > ---------------- > > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-dotnet#746](https://redirect.github.com/actions/setup-dotnet/pull/746) > * [`@michal2612`](https://github.com/michal2612) made their first contribution in [actions/setup-dotnet#694](https://redirect.github.com/actions/setup-dotnet/pull/694) > * [`@kranthipoturaju`](https://github.com/kranthipoturaju) made their first contribution in [actions/setup-dotnet#737](https://redirect.github.com/actions/setup-dotnet/pull/737) > * [`@StephenCleary`](https://github.com/StephenCleary) made their first contribution in [actions/setup-dotnet#717](https://redirect.github.com/actions/setup-dotnet/pull/717) > > **Full Changelog**: <actions/setup-dotnet@v5...v5.4.0> Commits * [`26b0ec1`](actions/setup-dotnet@26b0ec1) Expand the CSC problem matcher to light up more errors on GitHub. ([#717](https://redirect.github.com/actions/setup-dotnet/issues/717)) * [`da5e548`](actions/setup-dotnet@da5e548) docs(action): explicitly mark all optional inputs with required: false ([#737](https://redirect.github.com/actions/setup-dotnet/issues/737)) * [`9bd3b44`](actions/setup-dotnet@9bd3b44) Improve readability of global.json creation command ([#694](https://redirect.github.com/actions/setup-dotnet/issues/694)) * [`4406a63`](actions/setup-dotnet@4406a63) Bump `@actions/cache` to 5.1.0, log cache write denied ([#746](https://redirect.github.com/actions/setup-dotnet/issues/746)) * [`dc3262d`](actions/setup-dotnet@dc3262d) pin actions to commit SHAs in workflows ([#744](https://redirect.github.com/actions/setup-dotnet/issues/744)) * [`95a3f8b`](actions/setup-dotnet@95a3f8b) Validate global.json SDK version before rollForward optimization ([#742](https://redirect.github.com/actions/setup-dotnet/issues/742)) * See full diff in [compare view](actions/setup-dotnet@9a946fd...26b0ec1) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the action's own CI/CD workflows by applying GitHub Actions security best practices and integrates zizmor so regressions are caught automatically going forward.
Motivation: after the recent supply-chain compromises in the Actions ecosystem, consumers increasingly expect the actions they depend on to follow least-privilege and hardening practices. These changes are config-only — no action source (
src//dist/) is touched, so runtime behavior ofsetup-javais unchanged.What changed
1. Least-privilege
permissions:on every workflowPreviously most workflows had no
permissions:block and therefore inherited the repository/organization default token scopes. Now each workflow declares exactly what it needs:basic-validation,check-dist,licensed, alle2e-*contents: readcodeql-analysis{}, job keepsactions: read/contents: read/security-events: writepublish-immutable-actions{}, job keepscontents: read/id-token: write/packages: writeupdate-config-files{}, job getscontents: write+pull-requests: write(needed to push the branch and open the PR)release-new-action-versioncontents: write(unchanged)2. Drop credential persistence
Added
persist-credentials: falseto allactions/checkoutsteps that don't subsequently use theGITHUB_TOKEN(every e2e/validation checkout plus the immutable-publish checkout). This prevents the token from lingering in the local git config.3. Avoid template injection in
run:blocksMoved
${{ matrix.version }}and${{ steps.setup-java.outputs.path }}expansions out of inlinerun:scripts intoenv:variables referenced as"$VAR", the pattern recommended to avoid shell injection via expression interpolation.4. Pin the container image
alpine:latest→alpine:3.21ine2e-versions.yml(mutablelatesttag → fixed version).5. Integrate zizmor
.github/workflows/zizmor.yml— runs on push/PR, fails the build on any finding (regression gate), and uploads SARIF to the Code scanning tab..github/zizmor.yml— pinning policy aligned with this repo's conventions: first-partyactions/*andgithub/*may use version tags (ref-pin), while any third-party action must be pinned to a full commit SHA (hash-pin).Validation
zizmor goes from 39 high + 39 medium + 31 low/info findings to 0, both offline and online:
All workflow YAML was validated for syntax.
Related
Addresses the hardening/security-posture aspect mentioned alongside #1023 (immutable releases). The
publish-immutable-actions.ymlworkflow that satisfies #1023 is also hardened here (persist-credentials: false, explicit top-level{}).