Commit a618ab1
ci: scope publish secrets behind a deployment environment (zizmor secrets-outside-env)
The Audit runs `zizmor .github --min-severity medium`, which failed on four
`secrets-outside-env` MEDIUM findings — the new RubyGems/Composer publish jobs
referenced `secrets.*` without a dedicated GitHub environment (release.yml
gem-publish; release-ecosystems.yml rubygems-cli + packagist-cli). Add a job
`environment:` (`rubygems` / `packagist`) to each, which scopes the secret (and
lets a maintainer later gate publishing with required reviewers; the env is
auto-created with no protection until configured). Verified with the org's exact
invocation (zizmor 1.23.1, `.github`, --min-severity medium): the four findings
are gone; the only remaining medium is the pre-existing artipacked on
release.yml:182 (not mine, suppressed in the org's --gh-token run).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 365a841 commit a618ab1
2 files changed
Lines changed: 10 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
58 | 62 | | |
59 | 63 | | |
60 | 64 | | |
| |||
106 | 110 | | |
107 | 111 | | |
108 | 112 | | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
109 | 116 | | |
110 | 117 | | |
111 | 118 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
471 | 471 | | |
472 | 472 | | |
473 | 473 | | |
| 474 | + | |
| 475 | + | |
| 476 | + | |
474 | 477 | | |
475 | 478 | | |
476 | 479 | | |
| |||
0 commit comments