Skip to content

chore(ci): Fix zizmor security findings in workflows#956

Merged
morganchen12 merged 6 commits into
mainfrom
mc/zizmor
Jul 9, 2026
Merged

chore(ci): Fix zizmor security findings in workflows#956
morganchen12 merged 6 commits into
mainfrom
mc/zizmor

Conversation

@morganchen12

Copy link
Copy Markdown
Contributor

No description provided.

Resolved findings flagged by zizmor:
- Added explicit global `contents: read` permissions to `ci.yml`, `nightly.yml`, and `release.yml`.
- Configured checkouts to set `persist-credentials: false` in `ci.yml`, `nightly.yml`, and the staging phase of `release.yml`.
- Added explicit `persist-credentials: true` with a `# zizmor: ignore[artipacked]` comment to the checkout step in the publishing phase of `release.yml`, where credentials are required for git commands inside `publish_preflight_check.sh`.
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@lahirumaramba lahirumaramba self-assigned this Jun 29, 2026

@jonathanedey jonathanedey left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@morganchen12 morganchen12 merged commit b40e738 into main Jul 9, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants