Merged
Conversation
- actions/checkoutにpersist-credentials: falseを追加(artipacked対策) - 呼び出し元ワークフローにpermissions: contents: readを追加(excessive-permissions対策) - secrets: inheritを明示的なsecrets指定に変更(secrets-inherit対策) - zizmor設定ファイルを追加しsecrets-outside-envをdisable(Environment設定が必要なため) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eai04191
force-pushed
the
fix/zizmor-workflow-security
branch
from
6af4a70 to
a7099c5
Compare
There was a problem hiding this comment.
Pull request overview
zizmor の指摘事項に対して、ワークフローの権限・シークレット取り扱いを最小権限化する対応がまとまっていて良いです。GitHub Actions のセキュリティ設定を改善し、意図しない権限付与やシークレット露出リスクを下げるPRです。
Changes:
- reusable ワークフローの
actions/checkoutにpersist-credentials: falseを追加 - 呼び出し元ワークフローで
permissions: { contents: read }を明示し、secrets: inheritを明示的な secrets 渡しに変更 .github/zizmor.ymlを追加し、secrets-outside-envルールを disable
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/zizmor.yml | zizmor のルール設定を追加し、特定指摘の運用上の暫定対応を反映 |
| .github/workflows/on-push-to-main.yml | 呼び出し元の権限最小化と secrets の明示的受け渡しに変更 |
| .github/workflows/on-pull_request.yml | 呼び出し元の権限最小化(contents read)を明示 |
| .github/workflows/_reusable_lambda_rie_test.yml | checkout の認証情報永続化を無効化 |
| .github/workflows/_reusable_deploy.yml | checkout の認証情報永続化を無効化 |
| .github/workflows/_reusable_check.yml | checkout の認証情報永続化を無効化 |
| .github/workflows/_reusable_cdk_synth.yml | checkout の認証情報永続化を無効化 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
reusable側でOIDC認証に必要なid-token: writeが呼び出し元で許可されていないと aws-actions/configure-aws-credentialsが失敗するため追加 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
issue
なし(zizmorスキャンで検出されたセキュリティ指摘事項の対応)
変更内容
actions/checkoutにpersist-credentials: falseを追加(全reusableワークフロー)permissionsを追加(デプロイ用にはid-token: writeも付与)secrets: inheritを明示的なsecrets指定に変更.github/zizmor.ymlを追加しsecrets-outside-envをdisable(GitHub Environment設定が必要なため別途対応)確認したこと
zizmor .github/workflows/でNo findings to reportを確認スクリーンショット
なし
補足事項
secrets-outside-envはリポジトリ側でEnvironmentを作成しsecretsを移行する必要があるため、zizmor設定でdisableとしたPR時のセルフチェック
by