Skip to content

Add GitHub Actions linting workflow and Dockerfile #15751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
KevinMind merged 5 commits into from
Jul 30, 2025
Merged

Add GitHub Actions linting workflow and Dockerfile #15751

KevinMind merged 5 commits into from
Jul 30, 2025

Conversation

@KevinMind
Copy link
Contributor

@KevinMind KevinMind commented Jul 29, 2025
edited
Loading

Fixes: #15744

Description

Add actionlint and zizmor to do static analysis on our github actions defined in mozilla/addons

Context

GIthub action pins

Testing

Checklist

  • Add #ISSUENUM at the top of your PR to an existing open issue in the mozilla/addons repository.
  • Successfully verified the change locally.
  • The change is covered by automated tests, or otherwise indicated why doing so is unnecessary/impossible.
  • Add before and after screenshots (Only for changes that impact the UI).
  • Add or update relevant docs reflecting the changes made.

┆Issue is synchronized with this Jira Task

@KevinMind KevinMind force-pushed the kevinmind/addons/15744 branch from 5e5af2c to 88dee81 Compare July 29, 2025 20:12
@KevinMind KevinMind force-pushed the kevinmind/addons/15744 branch 10 times, most recently from 2200716 to a4d415e Compare July 29, 2025 20:41
@KevinMind KevinMind force-pushed the kevinmind/addons/15744 branch from a4d415e to 009d9b6 Compare July 30, 2025 05:28
@KevinMind KevinMind requested review from Copilot and diox July 30, 2025 05:52
Copilot AI reviewed Jul 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds static analysis tools for GitHub Actions workflows by introducing actionlint and zizmor linting capabilities, along with security improvements to existing workflows through action pinning and permission hardening.

  • Adds Docker-based linting tools (actionlint and zizmor) with configuration files and Makefile targets
  • Pins GitHub Actions to specific commit hashes for enhanced security
  • Hardens workflow permissions by adding explicit permission declarations and disabling credential persistence

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
zizmor.yml Configuration file for zizmor static analysis tool
docker-compose.tools.yml Docker compose configuration for actionlint and zizmor tools
Makefile Build targets for running linting tools
.github/workflows/transfer-issues.yml Removes entire workflow file
.github/workflows/stale.yml Adds empty permissions declaration
.github/workflows/docs.yml Hardens permissions and disables credential persistence
.github/workflows/ci.yml Adds action linting job and hardens security across all jobs
.github/dependabot.yml Changes update interval from weekly to daily
.github/actions/slack/action.yml Pins slack action to specific commit hash
.github/actions/slack-workflow-notification/action.yml Adds zizmor ignore comment for unpinned action usage
.github/actions/pr-comment/action.yml Refactors to use environment variables instead of direct substitution
.github/actions/login-gar/action.yml Pins auth and login actions to commit hashes
.github/actions/login-docker/action.yml Pins login action to commit hash
.github/actions/context/action.yml Refactors to use environment variables and improves shell safety

diox
diox reviewed Jul 30, 2025
View reviewed changes
Copy link
Member

@diox diox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had assigned the issue to me yesterday afternoon since nobody had it and was about to submit a very similar fix 😅

@KevinMind KevinMind requested a review from diox July 30, 2025 13:02
@KevinMind KevinMind merged commit f748fdc into main Jul 30, 2025
29 checks passed
@KevinMind KevinMind deleted the kevinmind/addons/15744 branch July 30, 2025 13:46
@KevinMind KevinMind mentioned this pull request Aug 5, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@diox diox diox approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Make mozilla/addons github actions more secure

5 participants

@KevinMind @diox @eviljeff @data-sync-user