Skip to content

feat: add zizmor workflow checks for GitHub Actions #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CommanderK5 merged 2 commits into from
Jan 21, 2026
Merged

feat: add zizmor workflow checks for GitHub Actions #662

CommanderK5 merged 2 commits into from
Jan 21, 2026

Conversation

@CommanderK5
Copy link
Contributor

@CommanderK5 CommanderK5 commented Jan 16, 2026

Description

This PR adds a zizmor security scan to the CI pipeline to analyze new and existing GitHub Actions workflows under .github/workflows/.

  • Runs zizmor on PRs and fails the check when HIGH severity (or above) issues are found, so they can block merges.
  • Runs zizmor on main to produce security reporting (where applicable), keeping visibility into findings over time.
  • Intended to be added as a required status check so workflow-security regressions can’t land unnoticed.

Reference: #642 (comment) / zizmor-action

Type of Change

  • New module
  • New template
  • Bug fix
  • Feature/enhancement
  • Documentation
  • Other - CI / security tooling

Testing & Validation

  • Validation via PR check - opened a test PR with a deliberately risky workflow and confirmed zizmor reports and blocks on HIGH findings

Related Issues

#642 (comment) / zizmor-action

jdomeracki-coder
jdomeracki-coder reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

@jdomeracki-coder jdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice first PR!

I think one minor addition could be to upload the SARIF to GitHub Code scanning

Example:
https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/integrate-with-existing-tools/uploading-a-sarif-file-to-github

@jdomeracki-coder
Copy link
Contributor

jdomeracki-coder commented Jan 19, 2026

Also I think that we should review the blocking findings from:
https://github.com/coder/registry/actions/runs/21075932061/job/60617647791?pr=662

Switching to checksums instead of tags is for the most part a one time change

@CommanderK5 CommanderK5 mentioned this pull request Jan 21, 2026
Merged
9 tasks
CommanderK5 added a commit that referenced this pull request Jan 21, 2026
@CommanderK5
CI: Pin GitHub Actions and fix zizmor high-severity findings (#667)
ec57cb5 
## Description

This PR fixes zizmor --min-severity high findings in our GitHub Actions
workflows by:
- Pinning all uses: references to immutable commit SHAs (replaces
floating tags like @v6 / @main).
- Pinning internal Terraform setup action usage
(coder/coder/.github/actions/setup-tf@main) to a fixed ref/commit.
- Pinning crate-ci/typos to a commit SHA.
- Removing GitHub expression template expansion inside a run: block in
version-bump.yaml (prevents template injection flagged by zizmor).


## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other

## Module Information

N/A

## Template Information

N/A

## Testing & Validation

- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally - zizmor .github/workflows/* --min-severity
high

## Related Issues

- #642
- #662
@CommanderK5 CommanderK5 merged commit 01365fb into main Jan 21, 2026
6 checks passed
@CommanderK5 CommanderK5 deleted the feat/zizmor branch January 21, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

Assignees

@CommanderK5 CommanderK5

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CommanderK5 @jdomeracki-coder