Skip to content

Commit a7099c5

Browse files
eai04191claude
eai04191
and
claude
committed
fix: GitHub Actionsワークフローのセキュリティ指摘事項を修正
- actions/checkoutにpersist-credentials: falseを追加(artipacked対策) - 呼び出し元ワークフローにpermissions: contents: readを追加(excessive-permissions対策) - secrets: inheritを明示的なsecrets指定に変更(secrets-inherit対策) - zizmor設定ファイルを追加しsecrets-outside-envをdisable(Environment設定が必要なため) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 1d3b4ca commit a7099c5

7 files changed

Lines changed: 20 additions & 1 deletion

File tree

.github/workflows/_reusable_cdk_synth.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
11+
with:
12+
persist-credentials: false
1113

1214
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
1315
with:

.github/workflows/_reusable_check.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
11+
with:
12+
persist-credentials: false
1113

1214
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
1315
with:

.github/workflows/_reusable_deploy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ jobs:
1616
contents: read
1717
steps:
1818
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+
with:
20+
persist-credentials: false
1921

2022
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
2123
with:

.github/workflows/_reusable_lambda_rie_test.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
11+
with:
12+
persist-credentials: false
1113

1214
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
1315
with:

.github/workflows/on-pull_request.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: on Pull Request
22
on:
33
pull_request:
44

5+
permissions:
6+
contents: read
7+
58
concurrency:
69
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
710
cancel-in-progress: true

.github/workflows/on-push-to-main.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,16 @@ on:
44
push:
55
branches: [main]
66

7+
permissions:
8+
contents: read
9+
710
concurrency:
811
group: ${{ github.workflow }}-${{ github.ref }}
912
cancel-in-progress: true
1013

1114
jobs:
1215
deploy:
1316
uses: ./.github/workflows/_reusable_deploy.yml
14-
secrets: inherit
17+
secrets:
18+
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
19+
SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}

.github/zizmor.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
rules:
2+
secrets-outside-env:
3+
disable: true

0 commit comments

Comments
 (0)