diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 69b20da45a1..5d17d33a4ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,23 +16,64 @@ concurrency: group: ci-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: + workflow-security: + runs-on: ubuntu-24.04 + name: Workflow security analysis + permissions: + actions: read # required by zizmor online audits in private repositories + contents: read # required for actions/checkout to read the workflow source + security-events: write # required by zizmor-action to upload SARIF to code scanning + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + id: zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + inputs: .github/workflows/ci.yml + version: 1.25.2 + persona: pedantic + min-severity: informational + min-confidence: low + config: .github/zizmor.yml + + - name: Fail if zizmor reported findings + env: + sarifFilePath: ${{ steps.zizmor.outputs.output-file }} + run: | + findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")" + echo "zizmor findings: $findingsCount" + test "$findingsCount" -eq 0 + test: runs-on: ubuntu-24.04 + needs: [workflow-security] + name: test + permissions: + contents: read steps: - name: Checkout (pull_request) if: ${{ github.event_name == 'pull_request' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false # Uses the head commit (not merge commit) for PRs ref: ${{ github.event.pull_request.head.sha }} - name: Checkout (non-PR) if: ${{ github.event_name != 'pull_request' }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version-file: '.nvmrc' cache: 'yarn' diff --git a/.github/workflows/create_docker_image.yml b/.github/workflows/create_docker_image.yml index ad80bcb297b..3ff5131293a 100644 --- a/.github/workflows/create_docker_image.yml +++ b/.github/workflows/create_docker_image.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f diff --git a/.github/workflows/deploy-to-test-env.yml b/.github/workflows/deploy-to-test-env.yml index 80f7ef55fb0..d3a8ec84c1e 100644 --- a/.github/workflows/deploy-to-test-env.yml +++ b/.github/workflows/deploy-to-test-env.yml @@ -35,6 +35,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.github/workflows/e2e-tests-nightly.yml b/.github/workflows/e2e-tests-nightly.yml index 268aaf5ca6e..987d5317526 100644 --- a/.github/workflows/e2e-tests-nightly.yml +++ b/.github/workflows/e2e-tests-nightly.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index eac83c4679b..d7b6001080e 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -70,6 +70,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: @@ -103,6 +105,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: @@ -145,6 +149,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: @@ -203,6 +209,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.github/workflows/generate_test_report.yml b/.github/workflows/generate_test_report.yml index a73935133ef..13082128a58 100644 --- a/.github/workflows/generate_test_report.yml +++ b/.github/workflows/generate_test_report.yml @@ -19,6 +19,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false ref: refs/heads/${{ inputs.branch }} - name: Capture checked out commit SHA diff --git a/.github/workflows/playwright-crit-flow-tests.yml b/.github/workflows/playwright-crit-flow-tests.yml index 99d562f5895..4785062b279 100644 --- a/.github/workflows/playwright-crit-flow-tests.yml +++ b/.github/workflows/playwright-crit-flow-tests.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f diff --git a/.github/workflows/precommit-crit-flows.yml b/.github/workflows/precommit-crit-flows.yml index 287ec7e8c2f..c651e25a69b 100644 --- a/.github/workflows/precommit-crit-flows.yml +++ b/.github/workflows/precommit-crit-flows.yml @@ -37,6 +37,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} @@ -44,6 +45,7 @@ jobs: if: ${{ github.event_name == 'merge_group' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f @@ -156,11 +158,14 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Checkout (merge_group) if: ${{ github.event_name == 'merge_group' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f with: diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml index 2018ae08c04..7a03090a3f4 100644 --- a/.github/workflows/precommit.yml +++ b/.github/workflows/precommit.yml @@ -30,6 +30,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/publish-and-deploy-webapp.yml b/.github/workflows/publish-and-deploy-webapp.yml index 0c97fbd05b4..ca51891b529 100644 --- a/.github/workflows/publish-and-deploy-webapp.yml +++ b/.github/workflows/publish-and-deploy-webapp.yml @@ -37,6 +37,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 - name: Setup Node.js @@ -186,6 +187,7 @@ jobs: - name: Check out wire-builds uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false repository: wireapp/wire-builds token: ${{secrets.WIRE_BUILDS_WRITE_ACCESS_GH_TOKEN}} ref: ${{matrix.target_branch}} diff --git a/.github/workflows/publish-libraries-on-merge.yml b/.github/workflows/publish-libraries-on-merge.yml index 29ce3e44a17..d0c48698ab7 100644 --- a/.github/workflows/publish-libraries-on-merge.yml +++ b/.github/workflows/publish-libraries-on-merge.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 # Pin to the exact merge commit to avoid publishing code from a newer dev head # if other PRs merge between trigger and job start diff --git a/.github/workflows/publish-libraries.yml b/.github/workflows/publish-libraries.yml index 5907002dec8..3366200abca 100644 --- a/.github/workflows/publish-libraries.yml +++ b/.github/workflows/publish-libraries.yml @@ -20,6 +20,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false fetch-depth: 0 ref: dev token: ${{ secrets.OTTO_THE_BOT_GH_TOKEN }} diff --git a/.github/workflows/pull-translations-from-crowdin.yml b/.github/workflows/pull-translations-from-crowdin.yml index 94b6acb388d..6b4b3eaffde 100644 --- a/.github/workflows/pull-translations-from-crowdin.yml +++ b/.github/workflows/pull-translations-from-crowdin.yml @@ -21,6 +21,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false ref: master fetch-depth: 0 diff --git a/.github/workflows/push-translations-to-crowdin.yml b/.github/workflows/push-translations-to-crowdin.yml index f4b23647dda..7e409a16a7b 100644 --- a/.github/workflows/push-translations-to-crowdin.yml +++ b/.github/workflows/push-translations-to-crowdin.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f diff --git a/.github/workflows/redeploy-production-from-tag.yml b/.github/workflows/redeploy-production-from-tag.yml index 9ab82157cb1..0806f8917d2 100644 --- a/.github/workflows/redeploy-production-from-tag.yml +++ b/.github/workflows/redeploy-production-from-tag.yml @@ -66,6 +66,7 @@ jobs: - name: Checkout selected tag uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: + persist-credentials: false ref: refs/tags/${{ needs.validate_request.outputs.tag }} fetch-depth: 0 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..fb4707f1961 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +--- +# All audits run with defaults; only configurable audits are overridden below. +# Persona, severity floor, and confidence floor are set in .github/workflows/ci.yml. +rules: + unpinned-uses: + config: + policies: + '*': hash-pin + + secrets-outside-env: + config: + allow: []