Skip to content

fix: resolve zizmor excessive-permissions + artipacked (INFRA-869)#41

Merged
Rumbles merged 1 commit into
masterfrom
INFRA-869/zizmor-actions-security-fixes
Jun 11, 2026
Merged

fix: resolve zizmor excessive-permissions + artipacked (INFRA-869)#41
Rumbles merged 1 commit into
masterfrom
INFRA-869/zizmor-actions-security-fixes

Conversation

@Rumbles

@Rumbles Rumbles commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

What

Thin mechanical pass for action-processor-integrations: least-privilege permissions: contents: read on ci + release-sonatype (Sonatype publishing uses PGP/Sonatype creds, not GITHUB_TOKEN); persist-credentials: false on checkouts (no git pushes).

Deliberately deferred (INFRA-869 cross-cutting decision pending): unpinned-uses — the bulk of this repo's findings — awaiting the org pin-vs-SHA vs wrap-in-github-actions call.

Verified with org config zizmor --config zizmor.yml: 0 findings outside the deferred set.

INFRA-869

🤖 Generated with Claude Code

least-privilege permissions: contents: read on ci + release-sonatype (Sonatype publishing uses PGP/Sonatype creds, not GITHUB_TOKEN); persist-credentials: false on checkouts (no git pushes).

Deferred (INFRA-869 cross-cutting decisions): unpinned-uses (pin-vs-wrap pending). Verified with the org zizmor config: 0 findings outside the deferred set. INFRA-869
@Rumbles Rumbles requested a review from a team as a code owner June 2, 2026 14:14
@Rumbles Rumbles enabled auto-merge (rebase) June 2, 2026 14:15
@Rumbles Rumbles merged commit ef61750 into master Jun 11, 2026
1 check failed
@Rumbles Rumbles deleted the INFRA-869/zizmor-actions-security-fixes branch June 11, 2026 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants