Skip to content

address zizmor findings in GitHub Actions #485

New issue
New issue
Closed
Closed
address zizmor findings in GitHub Actions#485
Assignees
firewave
Labels
ci
@firewave

Description

@firewave
firewave
opened on Aug 6, 2025
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/CI-unixish.yml:20:7
   |
20 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/CI-unixish.yml:6:3
    |
  6 | /   build:
  7 | |
...   |
111 | |         make clean
112 | |         make -j$(nproc) test selfcheck CXXFLAGS="-O2 -g3 -stdlib=libc++ -fsanitize=memory" LDFLAGS="-lc++ -fsanitize=memory"
    | |                                                                                                                             -
    | |_____________________________________________________________________________________________________________________________|
    |                                                                                                                               this job
    |                                                                                                                               default permissions used due to no permissions: block
    |
    = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/CI-windows.yml:25:9
   |
25 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/CI-windows.yml:15:3
   |
15 | /   build:
16 | |     strategy:
...  |
60 | |           python -m pytest integration_test.py -vv || exit /b !errorlevel!
61 | |
   | |         -
   | |_________|
   |           this job
   |           default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/clang-tidy.yml:13:9
   |
13 |       - uses: actions/checkout@v4
   |         ------------------------- does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/clang-tidy.yml:8:3
   |
 8 | /   build:
 9 | |
...  |
38 | |         run: |
39 | |           run-clang-tidy-20 -q -j $(nproc) -p=cmake.output
   | |                                                           -
   | |___________________________________________________________|
   |                                                             this job
   |                                                             default permissions used due to no permissions: block
   |
   = note: audit confidence → Medium

Metadata

Metadata

Assignees

Labels

ci

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions