fix: harden GitHub Actions workflows (#1129)

reberhardt7 · jdalton · web-flow · commit 5817a149d94c · 2026-03-25T12:22:46.000-04:00
* fix: harden GitHub Actions workflows (zizmor)

- Fix template-injection in ci.yml: move matrix.shard expressions to env
  vars in unit test and e2e test steps
- Fix template-injection in provenance.yml: move matrix.libc,
  matrix.platform, and matrix.arch expressions to env vars in SEA build step
- Fix ref-version-mismatch: update pnpm/action-setup SHA to match v5 tag
  across all workflows (ci.yml, provenance.yml, weekly-update.yml)
- Fix ref-version-mismatch: update actions/upload-artifact from impostor
  commit to v4.6.2 in provenance.yml
- Add dependabot cooldown configuration (default-days: 7)
- Disable secrets-outside-env rule via .github/zizmor.yml
  (repo policy decision, not a code-level fix)

* fix(ci): suppress zizmor cache-poisoning on setup-node steps

Add inline zizmor ignore comments for the 4 setup-node cache-poisoning
false positives (low confidence) while keeping the rule active globally.

---------

Co-authored-by: jdalton &lt;john.david.dalton@gmail.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
     schedule:
       interval: yearly
     open-pull-requests-limit: 0
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -73,10 +73,10 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # zizmor: ignore[cache-poisoning] # v6.3.0
         with:
           node-version-file: .node-version
           cache: 'pnpm'
@@ -139,10 +139,10 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # zizmor: ignore[cache-poisoning] # v6.3.0
         with:
           node-version-file: .node-version
           cache: 'pnpm'
@@ -212,10 +212,10 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # zizmor: ignore[cache-poisoning] # v6.3.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'pnpm'
@@ -267,7 +267,9 @@ jobs:
 
       - name: Run unit tests (shard ${{ matrix.shard }})
         working-directory: packages/cli
-        run: pnpm test:unit --shard=${{ matrix.shard }}/3
+        env:
+          SHARD: ${{ matrix.shard }}
+        run: pnpm test:unit --shard="$SHARD"/3
 
   # E2E tests
   e2e:
@@ -290,10 +292,10 @@ jobs:
           persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # zizmor: ignore[cache-poisoning] # v6.3.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'pnpm'
@@ -347,4 +349,5 @@ jobs:
         working-directory: packages/cli
         env:
           SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_CLI_API_TOKEN }}
-        run: pnpm run e2e-tests --shard=${{ matrix.shard }}/2
+          SHARD: ${{ matrix.shard }}
+        run: pnpm run e2e-tests --shard="$SHARD"/2
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
@@ -57,7 +57,7 @@ jobs:
           cache: 'pnpm'
           cache-dependency-path: 'pnpm-lock.yaml'
 
-      - uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - run: pnpm install --frozen-lockfile
 
@@ -71,7 +71,7 @@ jobs:
           echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
 
       - name: Upload CLI bundle
-        uses: actions/upload-artifact@ea165f8ff5e4e9264e1c76a100385dcb87c2b141 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: cli-bundle
           path: packages/cli/build/cli.js
@@ -102,7 +102,7 @@ jobs:
           cache-dependency-path: 'pnpm-lock.yaml'
           registry-url: 'https://registry.npmjs.org'
 
-      - uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - run: pnpm install --frozen-lockfile
 
@@ -114,18 +114,22 @@ jobs:
 
       - name: Build SEA binary
         shell: bash
+        env:
+          MATRIX_LIBC: ${{ matrix.libc }}
+          MATRIX_PLATFORM: ${{ matrix.platform }}
+          MATRIX_ARCH: ${{ matrix.arch }}
         run: |
           LIBC_FLAG=""
-          if [ "${{ matrix.libc }}" = "musl" ]; then
+          if [ "$MATRIX_LIBC" = "musl" ]; then
             LIBC_FLAG="--libc=musl"
           fi
           pnpm --filter @socketsecurity/cli run build:sea -- \
-            --platform=${{ matrix.platform }} \
-            --arch=${{ matrix.arch }} \
+            --platform="$MATRIX_PLATFORM" \
+            --arch="$MATRIX_ARCH" \
             ${LIBC_FLAG}
 
       - name: Upload binary
-        uses: actions/upload-artifact@ea165f8ff5e4e9264e1c76a100385dcb87c2b141 # v4.4.3
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: binary-${{ matrix.releasePlatform }}-${{ matrix.arch }}${{ matrix.libc && '-musl' || '' }}
           path: packages/package-builder/build/prod/out/socketbin-cli-${{ matrix.releasePlatform }}-${{ matrix.arch }}${{ matrix.libc && '-musl' || '' }}/socket${{ matrix.platform == 'win32' && '.exe' || '' }}
@@ -154,7 +158,7 @@ jobs:
           cache-dependency-path: 'pnpm-lock.yaml'
           registry-url: 'https://registry.npmjs.org'
 
-      - uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - run: pnpm install --frozen-lockfile
 
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
@@ -38,7 +38,7 @@ jobs:
           cache: ''
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -95,7 +95,7 @@ jobs:
           cache: ''
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@58e6119fe4f3092a76a7771efb55e04d25b6b26f # v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,4 @@
+rules:
+  secrets-outside-env:
+    disable: true
+

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +rules:
 +  secrets-outside-env:
 +    disable: true
++