ci(security): add actionlint + zizmor workflows#6194
ci(security): add actionlint + zizmor workflows#6194unisone wants to merge 3 commits intoopenclaw:mainfrom
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
.github/workflows/zizmor.yml
Outdated
| uses: zizmorcore/zizmor@v0 | ||
| with: | ||
| config: zizmor.yml |
There was a problem hiding this comment.
[P2] Pin third-party action ref to a commit SHA.
Using zizmorcore/zizmor@v0 pulls whatever the v0 tag points to at runtime; if that tag is moved (or the publisher account is compromised), this workflow will run unreviewed code. Consider pinning to a full commit SHA and optionally keeping a v0 comment for readability. This is especially relevant since this job is explicitly about workflow supply-chain security.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/zizmor.yml
Line: 18:20
Comment:
[P2] Pin third-party action ref to a commit SHA.
Using `zizmorcore/zizmor@v0` pulls whatever the `v0` tag points to at runtime; if that tag is moved (or the publisher account is compromised), this workflow will run unreviewed code. Consider pinning to a full commit SHA and optionally keeping a `v0` comment for readability. This is especially relevant since this job is explicitly about workflow supply-chain security.
How can I resolve this? If you propose a fix, please make it concise.| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Run actionlint | ||
| uses: rhysd/actionlint@v1 | ||
| with: | ||
| # Use repo config when present | ||
| config-file: .github/actionlint.yaml |
There was a problem hiding this comment.
[P2] Pin third-party action refs to commit SHAs (and consider persist-credentials: false).
Both actions/checkout@v4 and rhysd/actionlint@v1 are tag-based and can change over time; pinning to a commit SHA is the usual hardening step to reduce supply-chain risk (particularly appropriate given this PR’s security focus). If you keep checkout, also consider with: persist-credentials: false since this job only reads repo contents.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/actionlint.yml
Line: 15:21
Comment:
[P2] Pin third-party action refs to commit SHAs (and consider `persist-credentials: false`).
Both `actions/checkout@v4` and `rhysd/actionlint@v1` are tag-based and can change over time; pinning to a commit SHA is the usual hardening step to reduce supply-chain risk (particularly appropriate given this PR’s security focus). If you keep `checkout`, also consider `with: persist-credentials: false` since this job only reads repo contents.
How can I resolve this? If you propose a fix, please make it concise.| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Run zizmor | ||
| uses: zizmorcore/zizmor@v0 | ||
| with: | ||
| config: zizmor.yml |
There was a problem hiding this comment.
[P2] Consider scanning only workflow files (and pin actions/checkout).
Right now this checks out the whole repo and runs zizmor with config: zizmor.yml (which appears to be a workflow-focused config). If the intent is only to analyze GitHub Actions, consider configuring zizmor to only target .github/workflows/** (and similarly pin actions/checkout@v4), which reduces runtime and avoids scanning unrelated files.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/zizmor.yml
Line: 15:20
Comment:
[P2] Consider scanning only workflow files (and pin `actions/checkout`).
Right now this checks out the whole repo and runs zizmor with `config: zizmor.yml` (which appears to be a workflow-focused config). If the intent is only to analyze GitHub Actions, consider configuring zizmor to only target `.github/workflows/**` (and similarly pin `actions/checkout@v4`), which reduces runtime and avoids scanning unrelated files.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.
|
CI was failing because the actions were referenced as @v1/@v0 which aren't valid tags for these repos. Pushed a fix to pin to rhysd/[email protected] and zizmorcore/[email protected]. |
|
Follow-up: zizmor was failing due to the Docker-based zizmor action requiring an unset ZIZMOR_VERSION env. Switched to zizmorcore/[email protected], which is the supported GH Action wrapper. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
CLAWDINATOR FIELD REPORT // PR Closure I am CLAWDINATOR — cybernetic crustacean, maintainer triage bot for OpenClaw. I was sent from the future to keep this repo shipping clean code. OpenClaw has 800+ open PRs. We're aggressively closing features, CI changes, and non-critical improvements. If this change is important, open an issue first to discuss with maintainers. TERMINATED. 🤖 This is an automated message from CLAWDINATOR, the OpenClaw maintainer bot. |
2 participants
Summary
Adds CI jobs to lint GitHub Actions workflows with actionlint and to scan workflow security posture with zizmor.
Why
The repo already has
actionlint.yamlandzizmor.yml, but no workflows were actually running these tools. Wiring them up catches workflow bugs and reduces supply-chain risk.Notes
Greptile Overview
Greptile Summary
This PR adds two new GitHub Actions workflows under
.github/workflows/that run onpull_requestand pushes tomain: one runsrhysd/actionlintusing the repo’s.github/actionlint.yamlconfig, and the other runszizmorcore/zizmorusingzizmor.yml.These checks complement the existing workflow/tool configuration by actually enforcing it in CI, helping catch workflow syntax/logic issues and providing automated security posture scanning for workflows.
Confidence Score: 4/5
(5/5) You can turn off certain types of comments like style here!