Improve GitHub Actions security posture

laurynas-biveinis · claude · laurynas-biveinis · commit aea6dcdaae58 · 2025-11-07T08:55:41.000+02:00
- Add persist-credentials: false to all checkout actions to prevent credential persistence in workflow runs - Add zizmor: ignore[unpinned-uses] comments to intentionally unpinned actions to document security decisions - Add zizmor security checks to check.sh to verify GitHub Actions configuration follows security best practices These changes harden the CI/CD pipeline by reducing credential exposure risk and automating security verification of GitHub Actions workflow files. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -287,6 +287,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Setup common dependencies for Linux
         run: |
@@ -467,7 +468,7 @@ jobs:
         if: env.COVERAGE == 'ON'
 
       - name: Upload coverage data
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v5  # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: ${{matrix.BUILD_TYPE}}
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -29,10 +29,11 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@beta
+        uses: anthropics/claude-code-action@beta  # zizmor: ignore[unpinned-uses]
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -26,10 +26,11 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@beta
+        uses: anthropics/claude-code-action@beta  # zizmor: ignore[unpinned-uses]
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Setup dependencies for Linux
         run: |
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -13,12 +13,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install Doxygen
         run: sudo apt-get install doxygen
       - name: Generate docs
         run: doxygen Doxyfile
       - name: Deploy docs
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@v4  # zizmor: ignore[unpinned-uses]
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./docs/html/
diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml
@@ -30,6 +30,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: false
+          persist-credentials: false
 
       - name: Setup dependencies
         run: |
diff --git a/.github/workflows/experimental-build.yml b/.github/workflows/experimental-build.yml
@@ -30,6 +30,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Set up dependencies for macOS
         run: |
diff --git a/.github/workflows/feature-matrix-build.yml b/.github/workflows/feature-matrix-build.yml
@@ -32,6 +32,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: ${{ matrix.TESTS == 'ON' || matrix.BENCHMARKS == 'ON' }}
+          persist-credentials: false
 
       - name: Setup Boost
         run: sudo apt-get install -y libboost-dev
diff --git a/.github/workflows/msvc-build.yml b/.github/workflows/msvc-build.yml
@@ -58,9 +58,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: false
+          persist-credentials: false
 
       - name: Setup command line tools
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@v1  # zizmor: ignore[unpinned-uses]
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/old-compilers.yml b/.github/workflows/old-compilers.yml
@@ -631,6 +631,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Setup common dependencies
         run: |
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -19,6 +19,7 @@ jobs:
           submodules: true
           # Shallow clones should be disabled for a better relevancy of analysis
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup dependencies
         run: |
@@ -29,7 +30,7 @@ jobs:
           cmake . -DCMAKE_BUILD_TYPE=Release -DSTANDALONE=ON
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v6
+        uses: SonarSource/sonarqube-scan-action@v6  # zizmor: ignore[unpinned-uses]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
@@ -27,11 +27,12 @@ jobs:
           # super-linter needs the full git history to get the
           # list of files that changed across commits
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run Super-Linter
         # If a version bump bumps clang-format version, update its version int
         # CONTRIBUTING.md too
-        uses: super-linter/super-linter/slim@v8.2.1
+        uses: super-linter/super-linter/slim@v8.2.1  # zizmor: ignore[unpinned-uses]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_ANSIBLE: false
diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
@@ -28,6 +28,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           submodules: true
+          persist-credentials: false
 
       - name: Setup dependencies
         run: |
diff --git a/check.sh b/check.sh
@@ -11,6 +11,15 @@ if ! checkov --framework github_actions --directory .github/workflows --compact
     ERRORS=$((ERRORS + 1))
 fi
 
+# Run zizmor security check on GitHub Actions
+echo -n "Checking GitHub Actions security... $(echo .github/workflows/*.yml) "
+if zizmor .github/workflows/*.yml; then
+    echo "OK!"
+else
+    echo "zizmor check failed!"
+    ERRORS=$((ERRORS + 1))
+fi
+
 # Run checkov on CircleCI config
 echo "Checking CircleCI configuration..."
 if ! checkov --framework circleci_pipelines --file .circleci/config.yml --compact --quiet; then
