Adjustments based on zizmor security analysis

tim-schilling · tim-schilling · commit 0397b953a749 · 2025-11-10T09:46:47.000-06:00
- Pin all third-party actions to full-length commit SHAs instead of tags
- Add `persist-credentials: false` to all actions/checkout steps to prevent credential exposure
- Add explicit permissions declarations
- Pin mariadb Docker image to specific version (11.8) instead of using floating `latest` tag
- Replace template expressions with environment variables where possible
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -2,7 +2,7 @@
 name: Post coverage comment
 
 on:
-  workflow_run:
+  workflow_run: # zizmor: ignore[dangerous-triggers] - This follows GitHub's recommended pattern for posting PR comments from untrusted forks
     workflows: ["Test"]
     types:
       - completed
@@ -27,7 +27,7 @@ jobs:
       # DO NOT run actions/checkout here, for security reasons
       # For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
       - name: Post comment
-        uses: py-cov-action/python-coverage-comment-action@v3
+        uses: py-cov-action/python-coverage-comment-action@6494290850a5098c2836298dad8f11082b4ceaa9 # v3
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,6 +2,8 @@ name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
 
 on: push
 
+permissions: {}
+
 env:
   PYPI_URL: https://pypi.org/p/django-debug-toolbar
   PYPI_TEST_URL: https://test.pypi.org/p/django-debug-toolbar
@@ -14,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v6
       with:
@@ -48,7 +52,7 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution 📦 to PyPI
-      uses: pypa/gh-action-pypi-publish@release/v1.13
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13
 
   github-release:
     name: >-
@@ -69,7 +73,7 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Sign the dists with Sigstore
-      uses: sigstore/gh-action-sigstore-python@v3.1.0
+      uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
       with:
         inputs: >-
           ./dist/*.tar.gz
@@ -79,7 +83,7 @@ jobs:
         GITHUB_TOKEN: ${{ github.token }}
       run: >-
         gh release create
-        '${{ github.ref_name }}'
+        '${GITHUB_REF_NAME}'
         --repo '${{ github.repository }}'
         --notes ""
     - name: Upload artifact signatures to GitHub Release
@@ -90,7 +94,7 @@ jobs:
       # sigstore-produced signatures and certificates.
       run: >-
         gh release upload
-        '${{ github.ref_name }}' dist/**
+        '${GITHUB_REF_NAME}' dist/**
         --repo '${{ github.repository }}'
 
   publish-to-testpypi:
@@ -114,7 +118,7 @@ jobs:
         name: python-package-distributions
         path: dist/
     - name: Publish distribution 📦 to TestPyPI
-      uses: pypa/gh-action-pypi-publish@release/v1.13
+      uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13
       with:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
     # Run weekly on Saturday
     - cron: '37 3 * * SAT'
 
+permissions:
+  contents: read
+
 jobs:
   mysql:
     runs-on: ubuntu-latest
@@ -18,7 +21,7 @@ jobs:
 
     services:
       mariadb:
-        image: mariadb
+        image: mariadb:11.8
         env:
           MARIADB_ROOT_PASSWORD: debug_toolbar
         options: >-
@@ -31,6 +34,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
@@ -118,6 +123,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
@@ -167,6 +174,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
@@ -206,6 +215,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
