Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| - name: Set up Node.js | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| registry-url: "https://registry.npmjs.org" |
There was a problem hiding this comment.
Missing NODE_AUTH_TOKEN for private package installation
High Severity
The old moneyhub/checkout-and-setup@v1 received npm-token: ${{ secrets.NPM_TOKEN }} with an explicit comment that it was "still used for registry auth during install (e.g. private scopes)." The replacement actions/setup-node with registry-url creates an .npmrc referencing NODE_AUTH_TOKEN, but that environment variable is never set. The private @mft/eslint-config-momentumft devDependency will fail to install even once npm ci is added back.
| shell: bash | ||
| run: uvx zizmor --format=sarif . > results.sarif | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Missing SARIF upload step in zizmor workflow
High Severity
The workflow generates SARIF output to results.sarif and requests security-events: write permission, but never uploads the SARIF file to GitHub's code scanning. A github/codeql-action/upload-sarif step is missing after the zizmor run step. Without it, the security scan results are discarded and never appear in the repository's Security tab, making the workflow non-functional for its intended purpose.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 4 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| shell: bash | ||
| run: uvx zizmor . | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Zizmor scan results never uploaded as SARIF
Medium Severity
The job requests security-events: write permission but uvx zizmor . outputs in the default text format, not SARIF. There is no --format=sarif flag and no github/codeql-action/upload-sarif step. Findings won't appear in the GitHub Security tab — only in workflow logs. Either the zizmorcore/zizmor-action (which handles SARIF automatically) or a manual --format=sarif plus upload-sarif step is needed to use the requested permission.
Additional Locations (1)
| name: Run zizmor 🌈 | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write |
There was a problem hiding this comment.
Missing contents and actions read permissions for zizmor
Medium Severity
The workflow sets permissions: {} at the top level (stripping all defaults), but the job only grants security-events: write. The recommended zizmor configuration also requires contents: read (needed for actions/checkout on private repos and for upload-sarif) and actions: read (needed for zizmor to audit referenced actions via the GitHub API using GH_TOKEN).
1 participant
Note
Medium Risk
Changes CI/CD and the npm publish pipeline; misconfiguration could break releases or change the security posture of workflow permissions and checks.
Overview
Adds a new
zizmor.ymlworkflow that runsuvx zizmor .onpush/pull_requesttomain, using minimal default permissions and writingsecurity-events.Hardens existing workflows by pinning action SHAs and disabling credential persistence in checkouts. The publish workflow is refactored to run on
ubuntu-latest, explicitly sets up Node, and adds supply-chain steps (npm ci --ignore-scripts+npm audit signatures+ controlled script execution) plus JUnit test reporting viamikepenz/action-junit-report.Written by Cursor Bugbot for commit dddc214. This will update automatically on new commits. Configure here.