chore(ci): harden GitHub Actions workflows

[geoquant]

Summary

Hardens GitHub Actions workflows for zizmor by pinning third-party actions, reducing default permissions, disabling checkout credential persistence, and avoiding direct expression interpolation in shell scripts.

zizmor is a static analysis tool for finding security issues in GitHub Actions workflows.

Testing

Not run; workflow-only changes.

• Reviews
• bonk has reviewed the change
• automated review not possible because: workflow security hardening requires human review
• Tests
• Tests included/updated
• Automated tests not possible - manual testing has been completed as follows: reviewed workflow diffs and permissions
• Additional testing not necessary because: n/a

[pkg-pr-new]

npm i https://pkg.pr.new/@cloudflare/kumo@532

commit: 068d457

[github-actions]

Docs Preview

View docs preview

Commit: 068d457

[geoquant]

/bonk review

[ask-bonk]

Security Review: GitHub Actions Workflow Hardening

This PR implements excellent security hardening practices for GitHub Actions workflows using zizmor recommendations. Here's my assessment:

✅ What's Working Well

1. SHA-pinning of third-party actions - The change from pnpm/action-setup@v4 to the full SHA b906affcce14559ad1aafd4ab0e942779e9f58b1 prevents supply chain attacks via tag manipulation.

2. persist-credentials: false - Properly applied to all actions/checkout steps to prevent credential persistence after checkout.

3. Expression interpolation moved to env vars - This is the most critical fix. Moving ${{ }} expressions from inline shell scripts to environment variables prevents command injection (e.g., in bonk-check.yml, preview.yml, reviewer.yml).

4. Principle of least privilege - Changed top-level permissions to {} and added granular job-level permissions. This limits blast radius if a job is compromised.

5. Zizmor configuration - The .github/zizmor.yml config is well-documented and allows GitHub-maintained actions to stay tag-pinned while requiring third-party actions to use immutable SHAs.

6. Informative zizmor ignore comment - The dangerous-triggers ignore in preview-deploy.yml includes a clear justification for why workflow_run is necessary for fork security.

🔍 Minor Observations

• The ask-bonk/ask-bonk/github action is already properly pinned to a SHA (8c7a8314f4f4865e2e41e5718dfabc4ab7a2274b) - good!
• The actions/checkout versions vary between v4 and v6 across workflows. Consider standardizing, though this isn't a security issue since they're GitHub-maintained actions.

📋 Summary

These changes significantly improve the security posture of the CI/CD pipeline by:

• Preventing supply chain attacks via immutable action references
• Eliminating command injection vectors from workflow expressions
• Reducing credential exposure scope
• Following the principle of least privilege for workflow permissions

LGTM! 🚀

[ask-bonk]

I've completed my security review of PR #532. Here's a summary of my findings:

Review Summary: GitHub Actions Workflow Hardening

✅ Approved - Excellent Security Improvements

This PR implements comprehensive security hardening following zizmor recommendations:

Security Control	Implementation	Risk Mitigated
SHA-pinning	Third-party actions pinned to immutable SHAs	Supply chain attacks via tag manipulation
persist-credentials: false	Applied to all checkout steps	Credential leakage after checkout
Env variable interpolation	${{ }} expressions moved to env vars	Command injection attacks
Least privilege permissions	Top-level {} + job-specific grants	Blast radius limitation
Zizmor config	Sensible policy for 1st vs 3rd party actions	Ongoing audit compliance

Key Highlights

1. Most Critical Fix: Moving expression interpolation to environment variables prevents shell injection. For example, in bonk-check.yml:

   # Before (vulnerable)
   run: |
     PR_NUMBER="${{ github.event.pull_request.number }}"
   
   # After (safe)
   env:
     PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
   run: |
     PR_NUMBER="$PULL_REQUEST_NUMBER"

2. Well-Documented Exceptions: The zizmor: ignore[dangerous-triggers] comment in preview-deploy.yml clearly explains why workflow_run is necessary for fork PR security.

3. Already Properly Pinned: The ask-bonk/ask-bonk/github action was already using SHA pinning.

Minor Note

The actions/checkout action versions vary (v4 vs v6) across workflows. Not a security concern (GitHub-maintained), but could be standardized for consistency.

Verdict: LGTM! 🚀 These changes significantly improve CI/CD security posture.

github run