Address issues discovered by zizmor (#119)

1. Don't persist credentials 2. Scope broader permissions to the specific step 3. Use an environment variable for the ref_name instead of template Signed-off-by: Ben Cotton <ben@kusari.dev>
guacsec · Nov 22, 2024 · ecfb57a · ecfb57a
1 parent aa44915
commit ecfb57a
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -21,8 +21,7 @@ on:
 
 permissions:
   actions: read   # for detecting the Github Actions environment.
-  packages: write # To publish container images to GHCR
-  id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
+  packages: read # To publish container images to GHCR
 
 jobs:
   build-n-release:
@@ -40,6 +39,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # tag=v3
+        with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
@@ -64,9 +65,11 @@ jobs:
         run: |
           #!/usr/bin/env bash
           set -euo pipefail
-          pack build --env NODE_ENV=production ${IMAGE_URI}:${{ github.ref_name }} --builder ${BUILDER} --buildpack ${BUILDPACK} --publish --sbom-output-dir ${BUILDPACK_SBOM_OUTPUT_DIR}
-          echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${{ github.ref_name }})" >> $GITHUB_OUTPUT
+          pack build --env NODE_ENV=production ${IMAGE_URI}:${GITHUB_REF_NAME} --builder ${BUILDER} --buildpack ${BUILDPACK} --publish --sbom-output-dir ${BUILDPACK_SBOM_OUTPUT_DIR}
+          echo "IMAGE_DIGEST=$(crane digest ${IMAGE_URI}:${GITHUB_REF_NAME})" >> $GITHUB_OUTPUT
       - name: Sign and verify image
+        permissions:
+          packages: write # To publish container images to GHCR
         run: |
           #!/usr/bin/env bash
           set -euo pipefail
@@ -85,6 +88,8 @@ jobs:
     needs: [build-n-release]
     if: startsWith(github.ref, 'refs/tags/')
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 # must use semver here
+    permissions:
+      id-token: write # needed for signing the images with GitHub OIDC Token **not production ready**
     with:
       image: ${{ needs.build-n-release.outputs.image }}
       digest: ${{ needs.build-n-release.outputs.digest }}