thor icon indicating copy to clipboard operation
thor copied to clipboard
verified publisher icon vechain

Feature: add workflow security scan (zizmor)

Open Vombato opened this issue 1 month ago • 1 comments

Description

This PR improves security posture and updates workflow configurations by applying the principle of least privilege to GitHub Actions permissions, pinning action versions to.

Security improvements:

  • Applied principle of least privilege by moving overly broad permissions from workflow level to job level in publish-docker-images.yaml and release-binaries.yaml
  • Pinned all GitHub Actions to specific SHA commits instead of using version tags for improved security and reproducibility
  • Sanitized variable usage by replacing direct GitHub context references with environment variables where appropriate

Workflow updates:

  • See above

These changes address security audit findings while maintaining full workflow functionality.

Type of change

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

How Has This Been Tested?

  • [x] Verified workflow syntax validation
  • [x] Confirmed permissions are correctly scoped at job level
  • [x] Verified no linting errors introduced

Test Configuration:

  • Go Version: 1.25
  • Hardware: N/A (workflow changes only)
  • Docker Version: N/A

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes
  • [x] New and existing E2E tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules
  • [x] I have not added any vulnerable dependencies to my code

Vombato avatar Nov 27 '25 10:11 Vombato

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests.

:loudspeaker: Thoughts on this report? Let us know!

codecov-commenter avatar Nov 27 '25 10:11 codecov-commenter