From 14e5181f75918fffda8840c2f43bc236936b9937 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 17:44:33 -0800 Subject: [PATCH 1/8] Add zizmor and frizbee CI checks Add caller workflows for zizmor (security scanning) and frizbee (action pinning verification). Fix zizmor findings where applicable and add suppression config for intentional patterns. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/frizbee.yml | 16 ++++++++++++ .github/workflows/release.yml | 4 ++- .github/workflows/zizmor.yml | 16 ++++++++++++ .github/zizmor.yml | 49 +++++++++++++++++++++++++++++++++++ 4 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/frizbee.yml create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml new file mode 100644 index 000000000..642f692d3 --- /dev/null +++ b/.github/workflows/frizbee.yml @@ -0,0 +1,16 @@ +name: Frizbee pinning check +on: + push: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + frizbee: + uses: smallstep/workflows/.github/workflows/frizbee.yml@main + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a7c233cfe..05119aca4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,9 +25,11 @@ jobs: steps: - name: Is Pre-release id: is_prerelease + env: + REF: ${{ github.ref }} run: | set +e - echo ${{ github.ref }} | grep "\-rc.*" + echo "${REF}" | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..3270953b8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,16 @@ +name: Zizmor security scan +on: + push: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + uses: smallstep/workflows/.github/workflows/zizmor.yml@main + secrets: inherit diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..d99ba1b20 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,49 @@ +rules: + # Internal reusable workflows (smallstep/*@main) intentionally track + # the main branch for centralized CI management. Pinning to a SHA + # would defeat the purpose of the shared workflows repo. + unpinned-uses: + ignore: + - actionlint.yml:16 + - ci.yml:21 + - code-scan-cron.yml:7 + - dependabot-auto-merge.yml:10 + - frizbee.yml:15 + - release.yml:11 + - release.yml:65 + - release.yml:77 + - release.yml:91 + - triage.yml:19 + - zizmor.yml:15 + # Reusable workflow callers require `secrets: inherit` to pass + # credentials needed by the shared workflows (e.g. SSH keys, PATs). + secrets-inherit: + ignore: + - actionlint.yml:16 + - ci.yml:21 + - dependabot-auto-merge.yml:10 + - frizbee.yml:15 + - release.yml:11 + - release.yml:65 + - release.yml:77 + - release.yml:91 + - triage.yml:19 + - zizmor.yml:15 + # These workflows either lack a top-level `permissions:` block + # (using GitHub defaults) or delegate to reusable workflows that + # declare their own minimal permissions internally. + excessive-permissions: + ignore: + - ci.yml:20 + - code-scan-cron.yml:6 + - release.yml:1 + - release.yml:10 + - release.yml:14 + # The triage workflow uses `pull_request_target` to label PRs + # from forks. This is safe because the called reusable workflow + # does not checkout or execute code from the PR. + dangerous-triggers: + ignore: + - triage.yml:3 + + From a7c332a121f1c11df66e394de6f1735557050af9 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 17:54:27 -0800 Subject: [PATCH 2/8] Add explicit permissions blocks, remove excessive-permissions ignores Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 3 +++ .github/workflows/code-scan-cron.yml | 5 +++++ .github/workflows/release.yml | 7 +++++++ .github/zizmor.yml | 10 ---------- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b831a90b..14f88e4cf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: ci: uses: smallstep/workflows/.github/workflows/goCI.yml@main diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml index 9a35b7fe6..b0af523f4 100644 --- a/.github/workflows/code-scan-cron.yml +++ b/.github/workflows/code-scan-cron.yml @@ -2,6 +2,11 @@ on: schedule: - cron: '0 0 * * *' +permissions: + actions: read + contents: read + security-events: write + jobs: code-scan: uses: smallstep/workflows/.github/workflows/code-scan.yml@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 05119aca4..8a44ea6c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,13 +6,20 @@ on: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: write + jobs: ci: + permissions: + contents: read uses: smallstep/certificates/.github/workflows/ci.yml@master secrets: inherit create_release: name: Create Release + permissions: + contents: write needs: ci runs-on: ubuntu-latest env: diff --git a/.github/zizmor.yml b/.github/zizmor.yml index d99ba1b20..f84d883cb 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -29,16 +29,6 @@ rules: - release.yml:91 - triage.yml:19 - zizmor.yml:15 - # These workflows either lack a top-level `permissions:` block - # (using GitHub defaults) or delegate to reusable workflows that - # declare their own minimal permissions internally. - excessive-permissions: - ignore: - - ci.yml:20 - - code-scan-cron.yml:6 - - release.yml:1 - - release.yml:10 - - release.yml:14 # The triage workflow uses `pull_request_target` to label PRs # from forks. This is safe because the called reusable workflow # does not checkout or execute code from the PR. From 74df941efbe3b99517380b0d09616c43dabc7a1a Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:02:32 -0800 Subject: [PATCH 3/8] Replace zizmor line-number ignores with policies Use unpinned-uses config.policies with org-level wildcard and secrets-inherit disable instead of brittle per-line ignores that break whenever workflow files change. Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 39 +++++---------------------------------- 1 file changed, 5 insertions(+), 34 deletions(-) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index f84d883cb..b8ff0715f 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,39 +1,10 @@ rules: - # Internal reusable workflows (smallstep/*@main) intentionally track - # the main branch for centralized CI management. Pinning to a SHA - # would defeat the purpose of the shared workflows repo. unpinned-uses: - ignore: - - actionlint.yml:16 - - ci.yml:21 - - code-scan-cron.yml:7 - - dependabot-auto-merge.yml:10 - - frizbee.yml:15 - - release.yml:11 - - release.yml:65 - - release.yml:77 - - release.yml:91 - - triage.yml:19 - - zizmor.yml:15 - # Reusable workflow callers require `secrets: inherit` to pass - # credentials needed by the shared workflows (e.g. SSH keys, PATs). + config: + policies: + "smallstep/*": ref-pin secrets-inherit: - ignore: - - actionlint.yml:16 - - ci.yml:21 - - dependabot-auto-merge.yml:10 - - frizbee.yml:15 - - release.yml:11 - - release.yml:65 - - release.yml:77 - - release.yml:91 - - triage.yml:19 - - zizmor.yml:15 - # The triage workflow uses `pull_request_target` to label PRs - # from forks. This is safe because the called reusable workflow - # does not checkout or execute code from the PR. + disable: true dangerous-triggers: ignore: - - triage.yml:3 - - + - triage.yml From 904ad622be79fe5935ac3a577b325400d4d2844c Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:28:50 -0800 Subject: [PATCH 4/8] Disable ref-confusion audit The ref-confusion audit crashes when workflows reference private repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN lacks cross-repo access. Disable until zizmor supports scoping this audit or we provide a broader token. Co-Authored-By: Claude Opus 4.6 --- .github/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index b8ff0715f..92a614677 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -5,6 +5,8 @@ rules: "smallstep/*": ref-pin secrets-inherit: disable: true + ref-confusion: + disable: true dangerous-triggers: ignore: - triage.yml From 0d683fa6420fb66ad18980c3e15ea2e2ff6083e1 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 18:43:01 -0800 Subject: [PATCH 5/8] Add security-events: write to zizmor caller workflow The caller workflow's permissions are the ceiling for reusable workflows. The zizmor-action needs security-events: write to upload SARIF results to GitHub Advanced Security. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 3270953b8..0057146c4 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -9,6 +9,7 @@ concurrency: permissions: contents: read + security-events: write jobs: zizmor: From dcf2db9ba6fc57afdb24d0a8b07cd4ca513d360f Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Mar 2026 19:52:22 -0800 Subject: [PATCH 6/8] ci: Replace separate actionlint/zizmor/frizbee with actionci.yml Consolidate the three separate workflow files into a single actionci.yml that calls the shared workflow from smallstep/workflows. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/actionci.yml | 22 ++++++++++++++++++++++ .github/workflows/actionlint.yml | 17 ----------------- .github/workflows/frizbee.yml | 16 ---------------- .github/workflows/zizmor.yml | 17 ----------------- 4 files changed, 22 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/actionci.yml delete mode 100644 .github/workflows/actionlint.yml delete mode 100644 .github/workflows/frizbee.yml delete mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml new file mode 100644 index 000000000..81a6873e6 --- /dev/null +++ b/.github/workflows/actionci.yml @@ -0,0 +1,22 @@ +name: Action CI + +on: + push: + tags-ignore: + - 'v*' + branches: + - "master" + pull_request: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + actionci: + permissions: + contents: read + security-events: write + uses: smallstep/workflows/.github/workflows/actionci.yml@main + secrets: inherit diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml deleted file mode 100644 index 8e9248e08..000000000 --- a/.github/workflows/actionlint.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Lint GitHub Actions workflows -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: write - pull-requests: write - -jobs: - actionlint: - uses: smallstep/workflows/.github/workflows/actionlint.yml@main - secrets: inherit diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml deleted file mode 100644 index 642f692d3..000000000 --- a/.github/workflows/frizbee.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Frizbee pinning check -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - frizbee: - uses: smallstep/workflows/.github/workflows/frizbee.yml@main - secrets: inherit diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml deleted file mode 100644 index 0057146c4..000000000 --- a/.github/workflows/zizmor.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Zizmor security scan -on: - push: - workflow_call: - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -permissions: - contents: read - security-events: write - -jobs: - zizmor: - uses: smallstep/workflows/.github/workflows/zizmor.yml@main - secrets: inherit From cf1b1edb2fd2e0f6ac927a82d73dcbaa7148a4fd Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 3 Mar 2026 06:08:25 -0800 Subject: [PATCH 7/8] Add missing permissions for codeql job in goCI workflow Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14f88e4cf..213e1ebac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,9 @@ concurrency: cancel-in-progress: true permissions: + actions: read contents: read + security-events: write jobs: ci: From 015f0f265e669d4503bad1c8dcf20ac91141e11d Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 3 Mar 2026 06:11:43 -0800 Subject: [PATCH 8/8] Move codeql permissions to job level to satisfy zizmor Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 213e1ebac..f4ffd1f89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,12 +17,14 @@ concurrency: cancel-in-progress: true permissions: - actions: read contents: read - security-events: write jobs: ci: + permissions: + actions: read + contents: read + security-events: write uses: smallstep/workflows/.github/workflows/goCI.yml@main with: only-latest-golang: false