git-market/axios-axios
1
0
Fork 0
mirror of https://github.com/axios/axios.git synced 2026-04-11 02:11:50 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(ci): add zizmor scanner and fix workflow security findings (#10618)

Browse Source 
* ci: add zizmor GitHub Actions security scanner

* fix(ci): prevent script injection via env vars

* fix(ci): set persist-credentials: false across workflows
This commit is contained in:
Shaan Majid 2026-04-02 06:42:08 +00:00 committed by GitHub
parent e9a1db9d9b
commit a04dd96dbb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 49 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/moderator.yml vendored
View File

@ -17,6 +17,8 @@ jobs:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: github/ai-moderator@81159c370785e295c97461ade67d7c33576e9319 # v1.1.4
with:
token: ${{ secrets.GITHUB_TOKEN }}

4
.github/workflows/publish.yml vendored
View File

@ -15,12 +15,14 @@ jobs:
steps:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24.x
cache: npm
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false
- name: Install dependencies
run: npm ci
- name: Build project

16
.github/workflows/release-branch.yml vendored
View File

@ -28,7 +28,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -66,7 +66,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -100,7 +100,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -134,7 +134,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -168,7 +168,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -213,10 +213,12 @@ jobs:
- name: Bump version with NPM version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INPUT_TYPE: ${{ github.event.inputs.type }}
INPUT_BETA: ${{ github.event.inputs.beta }}
id: bump-version
run: |
TYPE=${{ github.event.inputs.type }}
BETA=${{ github.event.inputs.beta }}
TYPE="${INPUT_TYPE}"
BETA="${INPUT_BETA}"
if [ "$TYPE" = "auto" ]; then
npm version $(npm version | grep -Eo 'patch|minor|major' | head -1)
else

10
.github/workflows/run-ci.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -60,7 +60,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -94,7 +94,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -128,7 +128,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
@ -162,7 +162,7 @@ jobs:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
persist-credentials: false
- name: Setup node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:

1
.github/workflows/update-sponsor-block.yml vendored
View File

@ -20,6 +20,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: git config
run: |
git config user.name "${GITHUB_ACTOR}"

24
.github/workflows/zizmor.yml vendored Normal file
View File

@ -0,0 +1,24 @@
name: GitHub Actions Security Analysis with zizmor
on:
push:
branches: [v1.x]
pull_request:
branches: ["**"]
permissions: {}
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

5
.github/zizmor.yml vendored Normal file
View File

@ -0,0 +1,5 @@
rules:
excessive-permissions:
# TODO: audit and narrow permissions across all workflows
disable: true