Prepare workflows for the zizmor bump in #360#365
Conversation
basecamp#360 bumps zizmor-action v0.5.3 -> v0.5.7, which ships a newer zizmor that reports five findings the pinned version does not. Two are pre-existing here and one is an artifact of how dependabot writes version comments. adhoc-packages (2, pre-existing): gem install bundler-audit and npm install -g npm@latest. Both are deliberate. bundler-audit is the auditing tool itself, and the npm upgrade is required for OIDC trusted publishing. Suppressed inline with justifications, matching the fifteen suppressions already in these workflows. ref-version-mismatch (3, latent): the trivy-action pin is commented # 0.35.0. That tag exists, so it is valid today, but upstream stopped publishing unprefixed tags after it -- ed142fd (0.36.0) is only reachable as v0.36.0. Dependabot copies the existing comment style, so it wrote # 0.36.0 in basecamp#360 and zizmor flagged an unknown ref. Switching to # v0.35.0 makes the next bump resolve correctly on its own. With these in place basecamp#360 should go green on a rebase, with no edits to its branch.
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
There was a problem hiding this comment.
Pull request overview
Prepares the repo’s GitHub Actions workflows to pass a newer zizmor version (as part of zizmor-action bump in #360) by aligning Trivy pin comments with upstream tag naming and suppressing two intentional “ad-hoc” package installs.
Changes:
- Updated
aquasecurity/trivy-actionpin comments from# 0.35.0→# v0.35.0to avoidref-version-mismatchfindings on future Dependabot bumps. - Added inline
zizmor: ignore[adhoc-packages]suppressions (with justification) forgem install bundler-auditandnpm install -g npm@latest.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/security.yml | Adjusts Trivy pin comment format and suppresses intentional bundler-audit install to satisfy newer zizmor checks. |
| .github/workflows/release-typescript.yml | Suppresses intentional global npm upgrade step to satisfy newer zizmor checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The publish job installed npm@latest from the registry, unpinned, inside the job that holds id-token: write and the release-npm environment, three steps before npm publish. A compromised install there could publish a malicious @37signals/basecamp rather than merely read a public repo. Node 24 bundles npm 11.16, past the 11.5.1 that OIDC trusted publishing requires, so the upgrade step is unnecessary. Bumping the publish job to Node 24 removes the ad-hoc install entirely: npm now comes from the Node tarball, which setup-node verifies by checksum. This removes the finding rather than suppressing it. Verified under Node 24 (npm 11.16.0): npm ci, npm run build (what prepublishOnly runs), and the full suite, 616 tests across 64 files.
Main bumped the shared action pins (#360/#365/#367 zizmor prep + dep bumps) after this workflow was authored: checkout v7.0.0, setup-go v6.5.0, setup-node v6.4.0, setup-java v5.4.0, setup-gradle v6.2.0, setup-ruby v1.316.0, setup-uv v8.2.0. Copy test.yml's exact pin lines so live-canary.yml doesn't reintroduce superseded SHAs. upload-artifact already matched.
#360 bumps
zizmor-actionv0.5.3 → v0.5.7, which ships a newer zizmor (1.26.x). That version reports five findings the currently pinned zizmor does not, so #360 failsGitHub Actions auditfor reasons unrelated to the twenty actions it bumps. zizmor exits non-zero on any finding, so all five must be resolved.Four of the five are not #360's doing. This clears them on
mainfirst, so #360 can go green on a plain rebase without anyone hand-editing a dependabot branch. Of the four, three are fixed, one is removed at the source, and exactly one is suppressed.adhoc-packagesin the publish job — removed, not suppressedrelease-typescript.ymlrannpm install -g npm@latest: an unpinned install from the registry, inside thepublishjob that holdsid-token: writeand therelease-npmenvironment, three steps beforenpm publishof@37signals/basecamp.The blast radius is not "a linter is unhappy." A compromised
npm@latestthere executes against a live OIDC publishing identity and can push a malicious release of this SDK. Pinning the version would narrow that, but zizmor still flags it — the rule is about installing outside a lockfile at all — so a pin buys a suppression, not a fix.Node 24 bundles npm 11.16, past the 11.5.1 that OIDC trusted publishing requires. The step is simply unnecessary. The publish job now uses Node 24 and takes npm from the Node tarball, which
setup-nodeverifies by checksum. The ad-hoc install is gone rather than accepted.Verified locally under Node 24 (npm 11.16.0):
npm ci,npm run build(whatprepublishOnlyruns, includingpostbuild), and the full suite — 616 tests across 64 files, all passing.adhoc-packagesin the bundler-audit job — suppressed, with reasongem install bundler-auditremains. That job hascontents: read, noid-token, no secrets, and does not publish; a compromised install reads a public repository. bundler-audit is also the auditing tool itself, so adding it to the SDK'sGemfilewould make the gem under audit depend on its own auditor.This is the one accepted risk, suppressed inline with a justification, matching the fifteen
# zizmor: ignore[...]suppressions already in these workflows.ref-version-mismatch— 3 medium, latentThe
trivy-actionpin is commented# 0.35.0. That tag exists, so it is valid today andmainis not currently flagged.Upstream stopped publishing unprefixed tags after it:
ed142fdis reachable only asv0.36.0, with no0.36.0. Dependabot mirrors the existing comment style, so when it bumped trivy in #360 it wrote# 0.36.0— an unknown ref — and the newer zizmor flagged it three times.Correcting the comment to
# v0.35.0means the next bump inherits thevprefix and resolves on its own. This improves auditability rather than reducing it: the comment exists so a reviewer can check the hash against a real tag.Verification
Three of the five findings come from zizmor's online audits, which silently do not run without a GitHub token — a plain local run reports clean and looks like a false alarm. All runs below had
GH_TOKENset.maintodayThe 2/3 split on #360's head matches its CI run exactly. The pinned zizmor 1.25.2 that
mainruns today also still passes here, so the unknown audit name in the ignore comment does not break current CI.The remaining fifth finding is #360's own trivy comment, which its rebase will regenerate as
# v0.36.0once this lands.