These images are OK to be unpinned as they are supposed to run
tests on the latest versions and are not used for doing pipeline
work such as releasing or building user artifacts.
Zizmor now supports auditing token permissions for each workflow run and
reports that we almost never remove the default permissions (which seem
relatively permissive). As a precaution it does not hurt to revoke all
token permissions by default and see what breaks on the way.
Zizmor detected a potential cache poisoning attack via `setup-docker-buildx`.
There is an argument to this (an attacker with a valid github token could
modify the cache, change the buildx binary and tamper with Docker build releases)
but there is also an argument against it: the buildx cache would prevent
general information leaks when a new buildx release is tampered with. Since
there is no obvious benefit from either side, we ignore this hint and deem it
uncritical.
We also change the trigger of zizmor runs to pushes on main, regardless of
whether workflow files are changed or not to catch new audits from more
recent zizmor versions.
To add a bit of a safety net to our CI jobs it might make sense to add a CI security linting tool such as zizmor.
The linting run should be green at the moment since I fixed all reported issues:
- setting persist-credentials: false in all checkout runs
- changing template substitutions to environment variable substitutions
I added an ignore rule for dangerous-triggers to ignore the upload_pr_to_documentation workflow as our actions are configured to only run such steps on approval which should already have seen at least maintainer eyes and the zizmor run.
