Skip to content

Apply Zizmor#5079

Merged
urvangjoshi merged 2 commits into
AOMediaCodec:mainfrom
y-guyon:zizmor
Jul 6, 2026
Merged

Apply Zizmor#5079
urvangjoshi merged 2 commits into
AOMediaCodec:mainfrom
y-guyon:zizmor

Conversation

@y-guyon

@y-guyon y-guyon commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

See https://github.com/zizmorcore/zizmor.

We pin GitHub Actions used in CI workflows to git hashes instead of version tags.

Similar change was also made to libavif's CI workflows in PR AOMediaCodec/libavif#1515 at the suggestion of Google's security team. The rationale is described in issue AOMediaCodec/libavif#1514.

zizmor --fix=all --gh-token=$(gh auth token) .github/workflows output
 INFO zizmor: \U0001f308 zizmor v1.25.2
 WARN collect_inputs: zizmor::registry::input: failed to validate file://.github/workflows/pull_request.yaml as workflow: input does not match expected validation schema
 WARN collect_inputs: zizmor::registry::input: failed to validate file://.github/workflows/nightly.yaml as workflow: input does not match expected validation schema
 INFO audit: zizmor: \U0001f308 completed .github/workflows/build-job-reusable.yaml
 INFO audit: zizmor: \U0001f308 completed .github/workflows/common-builds-reusable.yaml
 INFO audit: zizmor: \U0001f308 completed .github/workflows/common-test-data-reusable.yaml
 INFO audit: zizmor: \U0001f308 completed .github/workflows/sanitizer-job-reusable.yaml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/build-job-reusable.yaml:61:9
   |
61 |         - uses: actions/checkout@v5
   |  _________^
62 | |         with:
63 | |           fetch-depth: 50
64 | |           lfs: true
   | |___________________^ does not set persist-credentials: false
   |
   = note: audit confidence \u2192 Low
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> .github/workflows/build-job-reusable.yaml:72:18
   |
72 |         run: ${{ inputs.before-script }}
   |         ---      ^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |         |
   |         this run block
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/build-job-reusable.yaml:61:15
   |
61 |       - uses: actions/checkout@v5
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/build-job-reusable.yaml:74:15
   |
74 |       - uses: actions/cache/restore@v5
   |               ^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/build-job-reusable.yaml:182:15
    |
182 |       - uses: actions/cache/save@v5
    |               ^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/build-job-reusable.yaml:188:15
    |
188 |         uses: actions/upload-artifact@v7
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-images]: unpinned image references
  --> .github/workflows/build-job-reusable.yaml:51:18
   |
51 |       image: ${{ inputs.container-image }}
   |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
   |
   = note: audit confidence \u2192 Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> .github/workflows/common-builds-reusable.yaml:305:9
    |
305 |         - uses: actions/checkout@v5
    |  _________^
306 | |         with:
307 | |           fetch-depth: 50
308 | |           lfs: true
    | |___________________^ does not set persist-credentials: false
    |
    = note: audit confidence \u2192 Low
    = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> .github/workflows/common-builds-reusable.yaml:356:9
    |
356 |         - uses: actions/checkout@v5
    |  _________^
357 | |         with:
358 | |           fetch-depth: 50
359 | |           lfs: true
    | |___________________^ does not set persist-credentials: false
    |
    = note: audit confidence \u2192 Low
    = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> .github/workflows/common-builds-reusable.yaml:468:9
    |
468 |         - uses: actions/checkout@v5
    |  _________^
469 | |         with:
470 | |           fetch-depth: 50
471 | |           fetch-tags: true
472 | |           lfs: true
    | |___________________^ does not set persist-credentials: false
    |
    = note: audit confidence \u2192 Low
    = note: this finding has an auto-fix

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/common-builds-reusable.yaml:23:3
   |
23 | /   build-generic-gnu:
24 | |     name: Build (generic-gnu)
25 | |     uses: ./.github/workflows/build-job-reusable.yaml
26 | |     if: (!cancelled())
...  |
45 | |           - inspection-accounting
46 | |           - no-examples
   | |                       ^
   | |                       |
   | |_______________________this job
   |                         default permissions used due to no permissions: block
   |
   = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/common-builds-reusable.yaml:48:3
   |
48 | /   build-x86_64-linux-gcc:
49 | |     name: Build (x86_64-linux-gcc)
50 | |     uses: ./.github/workflows/build-job-reusable.yaml
51 | |     if: (!cancelled())
...  |
72 | |           - debug
73 | |           - enable-12bit-profile
   | |                                ^
   | |                                |
   | |________________________________this job
   |                                  default permissions used due to no permissions: block
   |
   = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
  --> .github/workflows/common-builds-reusable.yaml:75:3
   |
75 | /   build-entropy-stats:
76 | |     name: Build (entropy-stats)
77 | |     uses: ./.github/workflows/build-job-reusable.yaml
78 | |     if: (!cancelled())
...  |
90 | |         avm-build-config:
91 | |           - entropy-stats
   | |                         ^
   | |                         |
   | |_________________________this job
   |                           default permissions used due to no permissions: block
   |
   = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:93:3
    |
 93 | /   build-bitstream-mismatch-debug:
 94 | |     name: Build (bitstream-mismatch-debug)
 95 | |     uses: ./.github/workflows/build-job-reusable.yaml
 96 | |     if: (!cancelled())
...   |
105 | |         avm-build-config:
106 | |           - bitstream-mismatch-debug
    | |                                    ^
    | |                                    |
    | |____________________________________this job
    |                                      default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:108:3
    |
108 | /   build-enable-12bit-profile:
109 | |     name: Build (enable-12bit-profile)
110 | |     uses: ./.github/workflows/build-job-reusable.yaml
111 | |     if: (!cancelled())
...   |
120 | |         avm-build-config:
121 | |           - enable-12bit-profile
    | |                                ^
    | |                                |
    | |________________________________this job
    |                                  default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:123:3
    |
123 | /   build-x86-linux-gcc:
124 | |     name: Build (x86-linux-gcc)
125 | |     uses: ./.github/workflows/build-job-reusable.yaml
126 | |     if: (!cancelled())
...   |
147 | |           - no-examples
148 | |           - debug
    | |                 ^
    | |                 |
    | |_________________this job
    |                   default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:150:3
    |
150 | /   build-aarch64-linux-gcc:
151 | |     name: Build (aarch64-linux-gcc)
152 | |     uses: ./.github/workflows/build-job-reusable.yaml
153 | |     if: (!cancelled())
...   |
173 | |           - inspection-accounting
174 | |           - no-examples
    | |                       ^
    | |                       |
    | |_______________________this job
    |                         default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:176:3
    |
176 | /   build-armv7-linux-gcc:
177 | |     name: Build (armv7-linux-gcc)
178 | |     uses: ./.github/workflows/build-job-reusable.yaml
179 | |     if: (!cancelled())
...   |
199 | |           - inspection-accounting
200 | |           - no-examples
    | |                       ^
    | |                       |
    | |_______________________this job
    |                         default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:202:3
    |
202 | /   build-ppc-linux-gcc:
203 | |     name: Build (ppc-linux-gcc)
204 | |     uses: ./.github/workflows/build-job-reusable.yaml
205 | |     if: (!cancelled())
...   |
226 | |           - no-examples
227 | |           - debug
    | |                 ^
    | |                 |
    | |_________________this job
    |                   default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:229:3
    |
229 | /   build-x86-mingw-gcc:
230 | |     name: Build (x86-mingw-gcc)
231 | |     uses: ./.github/workflows/build-job-reusable.yaml
232 | |     if: (!cancelled())
...   |
251 | |           - nasm
252 | |           - no-examples
    | |                       ^
    | |                       |
    | |_______________________this job
    |                         default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:254:3
    |
254 | /   build-x86_64-mingw-gcc:
255 | |     name: Build (x86_64-mingw-gcc)
256 | |     uses: ./.github/workflows/build-job-reusable.yaml
257 | |     if: (!cancelled())
...   |
276 | |           - nasm
277 | |           - no-examples
    | |                       ^
    | |                       |
    | |_______________________this job
    |                         default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

warning[excessive-permissions]: overly broad permissions
   --> .github/workflows/common-builds-reusable.yaml:279:3
    |
279 | /   build-x86_64-clang:
280 | |     name: Build (x86_64-clang)
281 | |     uses: ./.github/workflows/build-job-reusable.yaml
282 | |     if: (!cancelled())
...   |
294 | |           - debug
295 | |           - release
    | |                   ^
    | |                   |
    | |___________________this job
    |                     default permissions used due to no permissions: block
    |
    = note: audit confidence \u2192 Medium

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:305:15
    |
305 |       - uses: actions/checkout@v5
    |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:329:15
    |
329 |         uses: actions/upload-artifact@v7
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:356:15
    |
356 |       - uses: actions/checkout@v5
    |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:363:15
    |
363 |       - uses: actions/cache/restore@v5
    |               ^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:430:15
    |
430 |       - uses: actions/cache/save@v5
    |               ^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:436:15
    |
436 |         uses: actions/upload-artifact@v7
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:468:15
    |
468 |       - uses: actions/checkout@v5
    |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:476:15
    |
476 |       - uses: actions/cache/restore@v5
    |               ^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:505:15
    |
505 |       - uses: actions/cache/save@v5
    |               ^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/common-builds-reusable.yaml:511:15
    |
511 |         uses: actions/upload-artifact@v7
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-images]: unpinned image references
   --> .github/workflows/common-builds-reusable.yaml:303:18
    |
303 |       image: ${{ inputs.container-image }}
    |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
    |
    = note: audit confidence \u2192 Low

error[unpinned-images]: unpinned image references
   --> .github/workflows/common-builds-reusable.yaml:342:18
    |
342 |       image: ${{ inputs.container-image }}
    |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
    |
    = note: audit confidence \u2192 Low

error[unpinned-images]: unpinned image references
   --> .github/workflows/common-builds-reusable.yaml:462:18
    |
462 |       image: ${{ inputs.container-image }}
    |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
    |
    = note: audit confidence \u2192 Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/common-test-data-reusable.yaml:29:9
   |
29 |         - uses: actions/checkout@v5
   |  _________^
30 | |         with:
31 | |           fetch-depth: 50
32 | |           lfs: true
   | |___________________^ does not set persist-credentials: false
   |
   = note: audit confidence \u2192 Low
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/common-test-data-reusable.yaml:29:15
   |
29 |       - uses: actions/checkout@v5
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/common-test-data-reusable.yaml:42:15
   |
42 |         uses: actions/upload-artifact@v7
   |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-images]: unpinned image references
  --> .github/workflows/common-test-data-reusable.yaml:25:18
   |
25 |       image: ${{ inputs.container-image }}
   |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
   |
   = note: audit confidence \u2192 Low

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/sanitizer-job-reusable.yaml:64:9
   |
64 |         - uses: actions/checkout@v5
   |  _________^
65 | |         with:
66 | |           fetch-depth: 50
67 | |           lfs: true
   | |___________________^ does not set persist-credentials: false
   |
   = note: audit confidence \u2192 Low
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> .github/workflows/sanitizer-job-reusable.yaml:98:18
   |
98 |         run: ${{ inputs.before-script }}
   |         ---      ^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |         |
   |         this run block
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/sanitizer-job-reusable.yaml:64:15
   |
64 |       - uses: actions/checkout@v5
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/sanitizer-job-reusable.yaml:75:15
   |
75 |         uses: actions/download-artifact@v8
   |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> .github/workflows/sanitizer-job-reusable.yaml:80:15
   |
80 |         uses: actions/download-artifact@v8
   |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence \u2192 High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/sanitizer-job-reusable.yaml:230:15
    |
230 |         uses: actions/upload-artifact@v7
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence \u2192 High
    = note: this finding has an auto-fix

error[unpinned-images]: unpinned image references
  --> .github/workflows/sanitizer-job-reusable.yaml:51:18
   |
51 |       image: ${{ inputs.container-image }}
   |                  ^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
   |
   = note: audit confidence \u2192 Low

60 findings (14 suppressed, 28 unsafe fixes): 0 informational, 0 low, 18 medium, 28 high

Fix Summary
Successfully applied fixes to 4 files:
  .github/workflows/common-builds-reusable.yaml: 13 fixes
  .github/workflows/sanitizer-job-reusable.yaml: 6 fixes
  .github/workflows/build-job-reusable.yaml: 6 fixes
  .github/workflows/common-test-data-reusable.yaml: 3 fixes

@yunqingwang1

Copy link
Copy Markdown
Contributor

Hi Yannis, thanks for the patch. Could you please add more context about "Zizmor", providing more information for reviewers to make a decision?

Comment thread .github/workflows/build-job-reusable.yaml
@y-guyon

y-guyon commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Could you please add more context about "Zizmor", providing more information for reviewers to make a decision?

Sure, as per https://github.com/zizmorcore/zizmor: a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.

It may not be worth the time to review every warning emitted by zizmor, but I thought applying the easy ones would not hurt. And if we want to go beyond the auto-fixable issues, applying these first makes it simpler to review the non-auto ones in another PR.

@urvangjoshi urvangjoshi enabled auto-merge (squash) July 6, 2026 05:44
@urvangjoshi urvangjoshi merged commit 3935f4b into AOMediaCodec:main Jul 6, 2026
109 checks passed
@wantehchang

Copy link
Copy Markdown
Member

Yannis, Urvang: By searching for "actions/checkout" in the .github/ directory, I found that this pull request missed .github/workflows/pull_request.yaml and .github/workflows/nightly.yaml. I saw the following warning messages in the output of the zizmor command in the PR description:

 WARN collect_inputs: zizmor::registry::input: failed to validate file://.github/workflows/pull_request.yaml as workflow: input does not match expected validation schema
 WARN collect_inputs: zizmor::registry::input: failed to validate file://.github/workflows/nightly.yaml as workflow: input does not match expected validation schema

Should we change these two files manually (at least to add persist-credentials: false), or report this issue to the zizmor maintainers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants