Merge pull request #129 from Uniswap/fix/zizmor-security-findings

dgilmanuni · web-flow · commit 3274a65d19a7 · 2026-03-09T18:41:32.000-07:00
fix: resolve zizmor GitHub Actions security findings
diff --git a/.github/workflows/deploy-tenderly.yaml b/.github/workflows/deploy-tenderly.yaml
@@ -7,13 +7,15 @@ on:
     paths:
       - src/briefcase/deployers/**
 
+permissions: {}
 jobs:
   deploy-to-tenderly:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
 
       # Create Tenderly Virtual TestNet environment: https://docs.tenderly.co/virtual-testnets
       - name: Setup Tenderly Virtual TestNet
@@ -38,6 +40,7 @@ jobs:
         env:
           TENDERLY_ADMIN_RPC_URL: ${{ env.TENDERLY_ADMIN_RPC_URL }}
           ADMIN_WALLET: ${{ vars.TENDERLY_ADMIN_WALLET }}
+          VARS_TENDERLY_ADMIN_WALLET: ${{ vars.TENDERLY_ADMIN_WALLET }}
         run: |
           curl $TENDERLY_ADMIN_RPC_URL \
             -X POST \
@@ -46,7 +49,7 @@ jobs:
               "jsonrpc": "2.0",
               "method": "tenderly_setBalance",
               "params": [
-                "${{ vars.TENDERLY_ADMIN_WALLET }}",
+                "${VARS_TENDERLY_ADMIN_WALLET}",
                 "0x3635c9adc5dea00000"
               ],
               "id": "1234"
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -5,11 +5,14 @@ on:
   pull_request:
     branches: [main, master, staging, dev, feat/**, fix/**]
 
+permissions: {}
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v2
         with:
           submodules: recursive
diff --git a/.github/workflows/push-briefcase.yaml b/.github/workflows/push-briefcase.yaml
@@ -22,6 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |
diff --git a/.github/workflows/update-briefcase.yaml b/.github/workflows/update-briefcase.yaml
@@ -18,6 +18,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
diff --git a/.github/workflows/update-submodules.yaml b/.github/workflows/update-submodules.yaml
@@ -16,6 +16,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Update Submodules
         run: |
diff --git a/.github/workflows/verify-briefcase.yaml b/.github/workflows/verify-briefcase.yaml
@@ -16,6 +16,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
