From 44934258e7b14660fd2f6330a3cddb46b6e8bd87 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 24 Jun 2026 23:19:42 -0700 Subject: [PATCH 1/4] fix(ci): add zizmor config and dependabot cooldown Add .github/zizmor.yml disabling the cosmetic pedantic rules (anonymous-definition, undocumented-permissions, concurrency-limits) and setting the dependabot-cooldown threshold to 3 days. Add the companion cooldown.default-days: 3 to each ecosystem in .github/dependabot.yaml so the threshold is met. Extend the zizmor workflow paths: filter so edits to the config and dependabot files re-run the check. Refs: PSEC-923 Generated-By: claude-guard chain dd432b57ed51d834e2b8f28bb26ba66d Skills-Applied: zizmor-config Skills-Sha: 7dedf1fc9723c0487e7d2b10722852cb5bf2a1835d1e4bb0a462bcc4d3c65a6f Image-Sha: sha256:20335121a95cc1ec4a70b7a8f9327bf74c23563767143377c640546e0a0e2390 --- .github/dependabot.yaml | 4 ++++ .github/workflows/zizmor.yaml | 4 ++++ .github/zizmor.yml | 15 +++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index d5016aa..2fa0c68 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -7,6 +7,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 3 groups: all: update-types: @@ -16,6 +18,8 @@ updates: directory: "./" schedule: interval: "daily" + cooldown: + default-days: 3 groups: all: update-types: diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index ea7a039..e582ce5 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -9,11 +9,15 @@ on: paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/dependabot.yaml' + - '.github/zizmor.yml' push: branches: ['main'] paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/dependabot.yaml' + - '.github/zizmor.yml' permissions: {} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..d38b2c9 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,15 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +rules: + # Paired with `cooldown.default-days: 3` in .github/dependabot.yaml. + dependabot-cooldown: + config: + days: 3 + # Cosmetic pedantic-only findings — suppressed across the campaign. + anonymous-definition: + disable: true + undocumented-permissions: + disable: true + concurrency-limits: + disable: true From 6d9e5a3e45a6df80d65405247d50657863a58926 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 24 Jun 2026 23:19:47 -0700 Subject: [PATCH 2/4] fix(ci): remove paths filter gating the required Action lint check The action-lint job publishes the "Action lint" status check, which is a required check on the main branch (per run-facts required_checks with protection_visible=true). A paths: filter that gates a required check lets a PR touching only non-workflow files skip the check and wedge merge. Remove the paths: filter so the workflow runs on all PRs. Refs: PSEC-923 Generated-By: claude-guard chain dd432b57ed51d834e2b8f28bb26ba66d Skills-Applied: actionlint-config Skills-Sha: 7dedf1fc9723c0487e7d2b10722852cb5bf2a1835d1e4bb0a462bcc4d3c65a6f Image-Sha: sha256:20335121a95cc1ec4a70b7a8f9327bf74c23563767143377c640546e0a0e2390 --- .github/workflows/actionlint.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 4185ebd..4975012 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -5,15 +5,9 @@ name: Action Lint on: pull_request: branches: ['main'] - paths: - - '.github/workflows/**' - - '.github/actions/**' push: branches: ['main'] - paths: - - '.github/workflows/**' - - '.github/actions/**' permissions: {} From bb616dc5b000f3435da0b31cffe687403b317dbd Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 24 Jun 2026 23:19:52 -0700 Subject: [PATCH 3/4] fix(ci): move template expressions into env for presubmit-testing The three repo-check steps interpolate ${{ github.repository_owner }} and ${{ github.event.repository.name }} directly into run: shell bodies, so a crafted value could execute as code under the runner. Move github.event.repository.name into a REPO_NAME env: alias and use the built-in $GITHUB_REPOSITORY_OWNER for github.repository_owner, referencing both as double-quoted shell variables. Refs: PSEC-923 Generated-By: claude-guard chain dd432b57ed51d834e2b8f28bb26ba66d Skills-Applied: template-injection Skills-Sha: 7dedf1fc9723c0487e7d2b10722852cb5bf2a1835d1e4bb0a462bcc4d3c65a6f Image-Sha: sha256:20335121a95cc1ec4a70b7a8f9327bf74c23563767143377c640546e0a0e2390 --- .github/workflows/presubmit-testing.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/presubmit-testing.yaml b/.github/workflows/presubmit-testing.yaml index 4cc48ab..808d2d7 100644 --- a/.github/workflows/presubmit-testing.yaml +++ b/.github/workflows/presubmit-testing.yaml @@ -40,26 +40,29 @@ jobs: - name: Check default permissions env: GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} + REPO_NAME: ${{ github.event.repository.name }} run: | go run . repo \ - --organization ${{ github.repository_owner }} \ - --repository ${{ github.event.repository.name }} \ + --organization "${GITHUB_REPOSITORY_OWNER}" \ + --repository "${REPO_NAME}" \ default-permissions - name: Check for deploy keys env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + REPO_NAME: ${{ github.event.repository.name }} run: | go run . repo \ - --organization ${{ github.repository_owner }} \ - --repository ${{ github.event.repository.name }} \ + --organization "${GITHUB_REPOSITORY_OWNER}" \ + --repository "${REPO_NAME}" \ deploy-keys - name: Check branch protections env: GH_TOKEN: ${{ steps.octo-sts.outputs.token }} + REPO_NAME: ${{ github.event.repository.name }} run: | go run . repo \ - --organization ${{ github.repository_owner }} \ - --repository ${{ github.event.repository.name }} \ + --organization "${GITHUB_REPOSITORY_OWNER}" \ + --repository "${REPO_NAME}" \ branch-protections From c40f9925e7f22f80518912bc1c96a682e5ac65b3 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 24 Jun 2026 23:19:58 -0700 Subject: [PATCH 4/4] fix(ci): set persist-credentials false on presubmit-testing checkout The actions/checkout step did not set persist-credentials, so the GITHUB_TOKEN credential was left in the local git config. No downstream step performs git writes (the repo checks use the octo-sts token via GH_TOKEN/GITHUB_TOKEN for GitHub API calls, not git), so the safe default persist-credentials: false applies. Refs: PSEC-923 Generated-By: claude-guard chain dd432b57ed51d834e2b8f28bb26ba66d Skills-Applied: artipacked Skills-Sha: 7dedf1fc9723c0487e7d2b10722852cb5bf2a1835d1e4bb0a462bcc4d3c65a6f Image-Sha: sha256:20335121a95cc1ec4a70b7a8f9327bf74c23563767143377c640546e0a0e2390 --- .github/workflows/presubmit-testing.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/presubmit-testing.yaml b/.github/workflows/presubmit-testing.yaml index 808d2d7..dbfdc1e 100644 --- a/.github/workflows/presubmit-testing.yaml +++ b/.github/workflows/presubmit-testing.yaml @@ -25,6 +25,8 @@ jobs: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: