actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-14 13:50:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
mise-action/.github/workflows/test-redacted-env.yml
jdx 46bb674500
chore(ci): add zizmor workflow for github actions security analysis (#471) 
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
> 
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
> 
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 15:00:12 -05:00

77 lines
2.3 KiB
YAML
Raw Permalink Blame History

name: Test Redacted Environment Variables
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
jobs:
test-redacted-env:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Create test mise config with sensitive values
run: |
cat > .mise.toml << 'EOF'
[env]
PUBLIC_VAR = "this-is-public"
API_KEY = {value = "secret-api-key-12345", redact = true}
SECRET_TOKEN = {value = "supersecret-token-xyz", redact = true}
DATABASE_PASSWORD = {value = "db-pass-789", redact = true}
EOF
- name: Setup mise
uses: ./
- name: Verify environment variables are exported
run: |
echo "Checking if environment variables are set..."
# Check that public var is set
if [ "$PUBLIC_VAR" != "this-is-public" ]; then
echo "ERROR: PUBLIC_VAR not set correctly"
exit 1
fi
echo "✓ PUBLIC_VAR is set correctly"
# Check that sensitive vars are set (but their values should be masked in logs)
if [ -z "$API_KEY" ]; then
echo "ERROR: API_KEY not set"
exit 1
fi
echo "✓ API_KEY is set"
if [ -z "$SECRET_TOKEN" ]; then
echo "ERROR: SECRET_TOKEN not set"
exit 1
fi
echo "✓ SECRET_TOKEN is set"
if [ -z "$DATABASE_PASSWORD" ]; then
echo "ERROR: DATABASE_PASSWORD not set"
exit 1
fi
echo "✓ DATABASE_PASSWORD is set"
- name: Test that sensitive values are masked (will show *** if properly masked)
run: |
echo "Testing value masking..."
echo "API_KEY value: $API_KEY"
echo "SECRET_TOKEN value: $SECRET_TOKEN"
echo "DATABASE_PASSWORD value: $DATABASE_PASSWORD"
echo "PUBLIC_VAR value: $PUBLIC_VAR"
# This should show the actual values in the step output,
# but GitHub Actions should mask them if core.setSecret was called
- name: Verify mise version
run: mise --version
Reference in a new issue View git blame Copy permalink