Skip to content

Add zizmor and harden GitHub Actions workflows#49

Merged
jeromekelleher merged 2 commits into
tskit-dev:mainfrom
jeromekelleher:add-zizmor
Jun 30, 2026
Merged

Add zizmor and harden GitHub Actions workflows#49
jeromekelleher merged 2 commits into
tskit-dev:mainfrom
jeromekelleher:add-zizmor

Conversation

@jeromekelleher

Copy link
Copy Markdown
Member

Zizmor is a static analysis method for GitHub actions which mitigates against supply chain attacks (which are a real and scary thing). I think it would be good to apply this across the tskit-dev ecosystem so that we don't get packages hijacked (however unlikely that is).

shell: bash
run: sudo apt-get update && sudo apt-get install -y ${{ inputs.additional-apt-packages }}
env:
ADDITIONAL_APT_PACKAGES: ${{ inputs.additional-apt-packages }}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for reference - this defines the input as a environment variable, so the shell never interpolates the attacker-controlled input.

@jeromekelleher jeromekelleher merged commit 4aec7e4 into tskit-dev:main Jun 30, 2026
1 check passed
@jeromekelleher jeromekelleher deleted the add-zizmor branch June 30, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant