Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ permissions:

jobs:
dependency-review:
uses: nuxt/.github/.github/workflows/dependency-review.yml@main # zizmor: ignore[unpinned-uses] first-party reusable workflow from nuxt/.github; pinning to SHA blocks central propagation
uses: nuxt/.github/.github/workflows/dependency-review.yml@main # zizmor: ignore[unpinned-uses] first-party reusable workflow from nuxt/.github
with:
fail-on-provenance-change: true
23 changes: 23 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Add contents: read permission for workflow to function.

The permissions: {} configuration denies all permissions to the GITHUB_TOKEN. However, the actions/checkout action requires contents: read permission to clone the repository, and the zizmor action needs to read workflow files for analysis. This configuration will cause the workflow to fail.

🔒 Proposed fix to grant necessary permissions
-permissions: {}
+permissions:
+  contents: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions: {}
permissions:
contents: read
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/zizmor.yml at line 9, The workflow currently sets
"permissions: {}" which denies GITHUB_TOKEN access; update the workflow
permissions to grant at least "contents: read" so actions/checkout and the
zizmor analysis can clone and read repository files (i.e., replace or augment
the "permissions: {}" entry to include "contents: read" for the GITHUB_TOKEN
used by actions/checkout and the zizmor action).


jobs:
zizmor:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
advanced-security: false
Loading