ci: harden CI per Astral's open-source security recommendations

claude · claude · commit 14b4e4a376fe · 2026-04-15T23:40:31.000Z
Adopts the supply-chain practices described in Astral's "Open source security at Astral" post (https://astral.sh/blog/open-source-security-at-astral) and applies them to the FrankenPHP CI: - Add a zizmor workflow that audits every PR/push touching .github (and weekly on a schedule) as a hard gate. zizmor is installed via pipx so the security workflow itself has minimal supply chain. - Tighten every workflow to start with `permissions: {}` and grant the minimum permissions per job, so newly added jobs inherit nothing. - Track Docker base images with Dependabot so security patches in the underlying images surface as reviewable PRs. - Document the hardened posture (zizmor gate, least-privilege perms, environment-scoped secrets, build provenance, no pull_request_target) in SECURITY.md. - Document hash-pinning as the next ratchet in zizmor.yaml; the policy stays at `ref-pin` for now to avoid breaking existing tag pins, with a clear path to switch to `hash-pin` once Dependabot starts updating by SHA. https://claude.ai/code/session_01YEC8c9bU4Mory8FFoiAS5T
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -37,3 +37,21 @@ updates:
           - "*"
     cooldown:
       default-days: 7
+  # Docker base images. Astral recommends keeping the supply chain
+  # under continuous review; Dependabot opens a PR whenever a new base
+  # image becomes available so we never silently fall behind security
+  # patches.
+  - package-ecosystem: docker
+    directories:
+      - /
+      - /caddy
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: chore(docker)
+    groups:
+      docker:
+        patterns:
+          - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -30,13 +30,14 @@ on:
         type: string
   schedule:
     - cron: "0 4 * * *"
-permissions:
-  contents: read
+permissions: {}
 env:
   IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
 jobs:
   prepare:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       # Push if it's a scheduled job, a tag, or if we're committing to the main branch
       push: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false }}
@@ -82,6 +83,8 @@ jobs:
   build:
     environment: dockerhub
     runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    permissions:
+      contents: read
     needs:
       - prepare
     if: ${{ !fromJson(needs.prepare.outputs.skip) }}
@@ -207,6 +210,8 @@ jobs:
   push:
     environment: dockerhub
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - prepare
       - build
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -10,14 +10,15 @@ on:
   push:
     branches:
       - main
-permissions:
-  contents: read
-  packages: read
-  statuses: write
+permissions: {}
 jobs:
   build:
     name: Lint Code Base
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@v6
diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml
@@ -14,8 +14,7 @@ on:
       - main
     paths-ignore:
       - "docs/**"
-permissions:
-  contents: read
+permissions: {}
 env:
   GOTOOLCHAIN: local
   GOTESTSUM_FORMAT: pkgname-and-test-fails
@@ -24,6 +23,8 @@ jobs:
   sanitizers:
     name: ${{ matrix.sanitizer }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml
@@ -32,8 +32,7 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   IMAGE_NAME: ${{ (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/')) && 'dunglas/frankenphp' || 'dunglas/frankenphp-dev' }}
@@ -43,6 +42,8 @@ env:
 jobs:
   prepare:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       push: ${{ toJson((steps.check.outputs.ref || (github.event_name == 'workflow_dispatch' && inputs.version) || startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main' && github.event_name != 'pull_request')) && true || false) }}
       platforms: ${{ steps.matrix.outputs.platforms }}
@@ -381,6 +382,8 @@ jobs:
   push:
     environment: dockerhub
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     needs:
       - prepare
       - build-linux-musl
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -14,8 +14,7 @@ on:
       - main
     paths-ignore:
       - "docs/**"
-permissions:
-  contents: read
+permissions: {}
 env:
   GOTOOLCHAIN: local
   GOEXPERIMENT: cgocheck2
@@ -25,6 +24,8 @@ jobs:
     name: Tests (Linux, PHP ${{ matrix.php-versions }})
     runs-on: ubuntu-latest
     continue-on-error: false
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -98,6 +99,8 @@ jobs:
   integration-tests:
     name: Integration Tests (Linux, PHP ${{ matrix.php-versions }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -145,6 +148,8 @@ jobs:
   tests-mac:
     name: Tests (macOS, PHP 8.5)
     runs-on: macos-latest
+    permissions:
+      contents: read
     env:
       HOMEBREW_NO_AUTO_UPDATE: 1
       GOFLAGS: "-tags=nowatcher,nobadger,nomysql,nopgx"
diff --git a/.github/workflows/translate.yaml b/.github/workflows/translate.yaml
@@ -8,14 +8,15 @@ on:
       - main
     paths:
       - "docs/*"
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 jobs:
   build:
     environment: translate
     name: Translate Docs
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@v6
diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
@@ -28,8 +28,7 @@ on:
   schedule:
     - cron: "0 8 * * *"
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   GOTOOLCHAIN: local
diff --git a/.github/workflows/wrap-issue-details.yaml b/.github/workflows/wrap-issue-details.yaml
@@ -3,8 +3,7 @@ on:
   issues:
     types: [opened, edited]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   wrap_content:
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -0,0 +1,60 @@
+---
+# Static analysis of GitHub Actions workflows.
+#
+# Inspired by Astral's open-source security guidance:
+# https://astral.sh/blog/open-source-security-at-astral
+#
+# zizmor catches misuses such as template injection, credential leaks,
+# excessive permissions, dangerous triggers and impostor commits. It is
+# a hard CI gate: a failed audit blocks the pull request.
+name: GitHub Actions Security Audit
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/**
+      - zizmor.yaml
+  push:
+    branches:
+      - main
+    paths:
+      - .github/**
+      - zizmor.yaml
+  schedule:
+    # Re-audit weekly so newly published advisories surface even if
+    # no workflow file has changed.
+    - cron: "0 6 * * 1"
+permissions: {}
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Required so zizmor can upload SARIF results to GitHub Code
+      # Scanning. Drop this permission if Code Scanning is unavailable.
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      # zizmor is installed via pipx (preinstalled on ubuntu-latest)
+      # rather than a third-party action so the security workflow has
+      # the smallest possible supply chain.
+      - name: Install zizmor
+        run: pipx install zizmor
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: zizmor --format=sarif --min-severity=low . > zizmor.sarif
+      - name: Upload SARIF file
+        if: ${{ !cancelled() }}
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
diff --git a/SECURITY.md b/SECURITY.md
@@ -16,3 +16,34 @@ Please write a detailed vulnerability report and send it [through GitHub](https:
 
 Only vulnerabilities directly affecting FrankenPHP should be reported to this project.
 Flaws affecting components used by FrankenPHP (PHP, Caddy, Go...) or using FrankenPHP (Laravel Octane, PHP Runtime...) should be reported to the relevant projects.
+
+## Supply-chain hardening
+
+FrankenPHP follows the open-source security practices documented in
+[Astral's "Open source security at Astral" post](https://astral.sh/blog/open-source-security-at-astral):
+
+- **Workflow auditing.** Every push and pull request that touches CI
+  is audited by [zizmor](https://docs.zizmor.sh/) as a hard gate. The
+  `unpinned-uses` rule in `zizmor.yaml` requires, at a minimum, a tag
+  pin on every action.
+- **Least-privilege permissions.** Every workflow starts with
+  `permissions: {}` and only broadens access on a per-job basis, so a
+  newly added job inherits no permissions by default.
+- **Environment-scoped secrets.** Secrets that publish artifacts
+  (Docker Hub credentials, the website deploy token, the translation
+  API key) live in dedicated GitHub Environments (`dockerhub`,
+  `website`, `translate`) instead of repository-wide secrets,
+  limiting the blast radius of a compromised job.
+- **Build provenance.** Release binaries are attested with
+  [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance)
+  so downstream consumers can verify they were produced by this
+  repository's CI.
+- **Continuous dependency updates.** Dependabot tracks Go modules,
+  GitHub Actions and Docker base images; new versions land through
+  reviewable pull requests rather than implicit `latest` upgrades.
+- **No `pull_request_target`.** Workflows never use the
+  `pull_request_target` trigger, which would expose write tokens to
+  fork pull requests.
+- **Checkout without persisted credentials.** All `actions/checkout`
+  steps set `persist-credentials: false` unless they specifically
+  need to push back to the repository.
diff --git a/zizmor.yaml b/zizmor.yaml
@@ -1,6 +1,16 @@
 ---
+# zizmor static-analysis configuration.
+#
+# See https://docs.zizmor.sh/configuration/ for the full reference.
+#
+# Inspired by Astral's open-source security guidance:
+# https://astral.sh/blog/open-source-security-at-astral
 rules:
   unpinned-uses:
     config:
       policies:
+        # Every action must be pinned to at least a tag (`@v6`).
+        # Hash-pinning to a commit SHA is the long-term goal recommended
+        # by Astral; once the migration is complete, switch this policy
+        # to `hash-pin` so that mutable tags can no longer reach CI.
         "*": ref-pin
