Skip to content

Prepare workflows for the zizmor bump in #360#365

Merged
robzolkos merged 2 commits into
basecamp:mainfrom
robzolkos:ci/zizmor-prep-for-action-bumps
Jul 10, 2026
Merged

Prepare workflows for the zizmor bump in #360#365
robzolkos merged 2 commits into
basecamp:mainfrom
robzolkos:ci/zizmor-prep-for-action-bumps

Conversation

@robzolkos

@robzolkos robzolkos commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

#360 bumps zizmor-action v0.5.3 → v0.5.7, which ships a newer zizmor (1.26.x). That version reports five findings the currently pinned zizmor does not, so #360 fails GitHub Actions audit for reasons unrelated to the twenty actions it bumps. zizmor exits non-zero on any finding, so all five must be resolved.

Four of the five are not #360's doing. This clears them on main first, so #360 can go green on a plain rebase without anyone hand-editing a dependabot branch. Of the four, three are fixed, one is removed at the source, and exactly one is suppressed.

adhoc-packages in the publish job — removed, not suppressed

release-typescript.yml ran npm install -g npm@latest: an unpinned install from the registry, inside the publish job that holds id-token: write and the release-npm environment, three steps before npm publish of @37signals/basecamp.

The blast radius is not "a linter is unhappy." A compromised npm@latest there executes against a live OIDC publishing identity and can push a malicious release of this SDK. Pinning the version would narrow that, but zizmor still flags it — the rule is about installing outside a lockfile at all — so a pin buys a suppression, not a fix.

Node 24 bundles npm 11.16, past the 11.5.1 that OIDC trusted publishing requires. The step is simply unnecessary. The publish job now uses Node 24 and takes npm from the Node tarball, which setup-node verifies by checksum. The ad-hoc install is gone rather than accepted.

Verified locally under Node 24 (npm 11.16.0): npm ci, npm run build (what prepublishOnly runs, including postbuild), and the full suite — 616 tests across 64 files, all passing.

adhoc-packages in the bundler-audit job — suppressed, with reason

gem install bundler-audit remains. That job has contents: read, no id-token, no secrets, and does not publish; a compromised install reads a public repository. bundler-audit is also the auditing tool itself, so adding it to the SDK's Gemfile would make the gem under audit depend on its own auditor.

This is the one accepted risk, suppressed inline with a justification, matching the fifteen # zizmor: ignore[...] suppressions already in these workflows.

ref-version-mismatch — 3 medium, latent

The trivy-action pin is commented # 0.35.0. That tag exists, so it is valid today and main is not currently flagged.

Upstream stopped publishing unprefixed tags after it: ed142fd is reachable only as v0.36.0, with no 0.36.0. Dependabot mirrors the existing comment style, so when it bumped trivy in #360 it wrote # 0.36.0 — an unknown ref — and the newer zizmor flagged it three times.

Correcting the comment to # v0.35.0 means the next bump inherits the v prefix and resolves on its own. This improves auditability rather than reducing it: the comment exists so a reviewer can check the hash against a real tag.

Verification

Three of the five findings come from zizmor's online audits, which silently do not run without a GitHub token — a plain local run reports clean and looks like a false alarm. All runs below had GH_TOKEN set.

low medium
main today 2 0
#360's head 2 3
this branch 0 0

The 2/3 split on #360's head matches its CI run exactly. The pinned zizmor 1.25.2 that main runs today also still passes here, so the unknown audit name in the ignore comment does not break current CI.

The remaining fifth finding is #360's own trivy comment, which its rebase will regenerate as # v0.36.0 once this lands.

basecamp#360 bumps zizmor-action v0.5.3 -> v0.5.7, which ships a newer zizmor that
reports five findings the pinned version does not. Two are pre-existing here
and one is an artifact of how dependabot writes version comments.

adhoc-packages (2, pre-existing): gem install bundler-audit and npm install -g
npm@latest. Both are deliberate. bundler-audit is the auditing tool itself, and
the npm upgrade is required for OIDC trusted publishing. Suppressed inline with
justifications, matching the fifteen suppressions already in these workflows.

ref-version-mismatch (3, latent): the trivy-action pin is commented # 0.35.0.
That tag exists, so it is valid today, but upstream stopped publishing
unprefixed tags after it -- ed142fd (0.36.0) is only reachable as v0.36.0.
Dependabot copies the existing comment style, so it wrote # 0.36.0 in basecamp#360 and
zizmor flagged an unknown ref. Switching to # v0.35.0 makes the next bump
resolve correctly on its own.

With these in place basecamp#360 should go green on a rebase, with no edits to its
branch.
Copilot AI review requested due to automatic review settings July 10, 2026 03:05
@github-actions

Copy link
Copy Markdown

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .github/workflows/release-typescript.yml
  • .github/workflows/security.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@github-actions github-actions Bot added the github-actions Pull requests that update GitHub Actions label Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prepares the repo’s GitHub Actions workflows to pass a newer zizmor version (as part of zizmor-action bump in #360) by aligning Trivy pin comments with upstream tag naming and suppressing two intentional “ad-hoc” package installs.

Changes:

  • Updated aquasecurity/trivy-action pin comments from # 0.35.0# v0.35.0 to avoid ref-version-mismatch findings on future Dependabot bumps.
  • Added inline zizmor: ignore[adhoc-packages] suppressions (with justification) for gem install bundler-audit and npm install -g npm@latest.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/security.yml Adjusts Trivy pin comment format and suppresses intentional bundler-audit install to satisfy newer zizmor checks.
.github/workflows/release-typescript.yml Suppresses intentional global npm upgrade step to satisfy newer zizmor checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Re-trigger cubic

The publish job installed npm@latest from the registry, unpinned, inside the
job that holds id-token: write and the release-npm environment, three steps
before npm publish. A compromised install there could publish a malicious
@37signals/basecamp rather than merely read a public repo.

Node 24 bundles npm 11.16, past the 11.5.1 that OIDC trusted publishing
requires, so the upgrade step is unnecessary. Bumping the publish job to Node
24 removes the ad-hoc install entirely: npm now comes from the Node tarball,
which setup-node verifies by checksum.

This removes the finding rather than suppressing it. Verified under Node 24
(npm 11.16.0): npm ci, npm run build (what prepublishOnly runs), and the full
suite, 616 tests across 64 files.
Copilot AI review requested due to automatic review settings July 10, 2026 03:12
@github-actions github-actions Bot added the bug Something isn't working label Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@robzolkos robzolkos merged commit f59e2ac into basecamp:main Jul 10, 2026
46 checks passed
jeremy added a commit that referenced this pull request Jul 14, 2026
Main bumped the shared action pins (#360/#365/#367 zizmor prep + dep
bumps) after this workflow was authored: checkout v7.0.0, setup-go
v6.5.0, setup-node v6.4.0, setup-java v5.4.0, setup-gradle v6.2.0,
setup-ruby v1.316.0, setup-uv v8.2.0. Copy test.yml's exact pin lines
so live-canary.yml doesn't reintroduce superseded SHAs.
upload-artifact already matched.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working github-actions Pull requests that update GitHub Actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants