From b3266c3d96c9400d05707ab75bdefbd5d42704c9 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 10:38:03 +0200 Subject: [PATCH 1/8] Add Zizmor config file --- .github/zizmor.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..113a076267 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Please see the documentation for all configuration options: +# https://docs.zizmor.sh/configuration/ + +rules: + unpinned-uses: + config: + policies: + # Allow `actions/*` and `MetaMask/*` to be pinned to a version instead + # of only to a commit hash. + actions/*: ref-pin + MetaMask/*: ref-pin From d762014c33016f0a8ff465d859cb5ee7b90b62e3 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:04:34 +0200 Subject: [PATCH 2/8] Fix all Zizmor reported issues --- .../check-merge-queue-changelogs/action.yml | 1 + .github/actions/check-release/action.yml | 1 + .github/workflows/changelog-check.yml | 3 ++ .github/workflows/create-update-issues.yml | 2 ++ .../ensure-blocking-pr-labels-absent.yml | 3 +- .github/workflows/lint-build-test.yml | 28 +++++++++++++------ .github/workflows/main.yml | 17 ++++++++++- .github/workflows/publish-release.yml | 12 +++++--- .github/workflows/update-changelogs.yml | 15 ++++++++-- .github/zizmor.yml | 7 +++++ 10 files changed, 72 insertions(+), 17 deletions(-) diff --git a/.github/actions/check-merge-queue-changelogs/action.yml b/.github/actions/check-merge-queue-changelogs/action.yml index 782f4aab3f..644844318c 100644 --- a/.github/actions/check-merge-queue-changelogs/action.yml +++ b/.github/actions/check-merge-queue-changelogs/action.yml @@ -15,6 +15,7 @@ runs: uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false - name: Get pull request number id: pr-number diff --git a/.github/actions/check-release/action.yml b/.github/actions/check-release/action.yml index 186eaa7583..34c055b649 100644 --- a/.github/actions/check-release/action.yml +++ b/.github/actions/check-release/action.yml @@ -13,6 +13,7 @@ runs: uses: actions/checkout@v5 with: fetch-depth: 0 + persist-credentials: false - name: Get merge base id: merge-base diff --git a/.github/workflows/changelog-check.yml b/.github/workflows/changelog-check.yml index 9a2727c463..b6395b1819 100644 --- a/.github/workflows/changelog-check.yml +++ b/.github/workflows/changelog-check.yml @@ -8,6 +8,9 @@ jobs: check-changelog: name: Check changelog runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read steps: - name: Check changelog uses: MetaMask/github-tools/.github/actions/check-changelog@v1 diff --git a/.github/workflows/create-update-issues.yml b/.github/workflows/create-update-issues.yml index 93ae77b167..08ab3f35dc 100644 --- a/.github/workflows/create-update-issues.yml +++ b/.github/workflows/create-update-issues.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout head uses: actions/checkout@v5 + with: + persist-credentials: false - name: Fetch tags run: git fetch --prune --unshallow --tags - name: Get extension token diff --git a/.github/workflows/ensure-blocking-pr-labels-absent.yml b/.github/workflows/ensure-blocking-pr-labels-absent.yml index 5e0c0b68d8..aec225298c 100644 --- a/.github/workflows/ensure-blocking-pr-labels-absent.yml +++ b/.github/workflows/ensure-blocking-pr-labels-absent.yml @@ -16,9 +16,10 @@ jobs: pull-requests: read steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false - name: Run command uses: actions/github-script@v8 with: diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index 7035a90e6e..3fb453295c 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -14,9 +14,10 @@ jobs: child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false cache-node-modules: true node-version: ${{ matrix.node-version }} - name: Fetch workspace package names @@ -42,9 +43,10 @@ jobs: - readme-content:check steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - name: Run yarn ${{ matrix.script }} run: yarn "$SCRIPT" @@ -68,11 +70,14 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - - run: yarn workspace ${{ matrix.package-name }} changelog:validate + - run: yarn workspace "$PACKAGE_NAME" changelog:validate + env: + PACKAGE_NAME: ${{ matrix.package-name }} - name: Require clean working directory shell: bash run: | @@ -88,6 +93,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Validate changelog diffs uses: ./.github/actions/check-merge-queue-changelogs @@ -100,9 +107,10 @@ jobs: node-version: [24.x] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - run: yarn build - name: Require clean working directory @@ -122,9 +130,10 @@ jobs: node-version: [24.x] steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - run: yarn test:scripts - name: Require clean working directory @@ -145,11 +154,14 @@ jobs: package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }} steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + persist-credentials: false node-version: ${{ matrix.node-version }} - - run: yarn workspace ${{ matrix.package-name }} run test + - run: yarn workspace "$PACKAGE_NAME" run test + env: + PACKAGE_NAME: ${{ matrix.package-name }} - name: Require clean working directory shell: bash run: | diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 781af33ae7..ec8f49a64d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,10 +10,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.sha || github.ref }} cancel-in-progress: ${{ !contains(github.ref, 'refs/heads/main') }} +permissions: + contents: read + jobs: check-skip-merge-queue: name: Check if pull request can skip merge queue runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: skip-merge-queue: ${{ steps.check-skip-merge-queue.outputs.up-to-date }} steps: @@ -28,15 +34,22 @@ jobs: - check-skip-merge-queue if: github.event_name != 'merge_group' || needs.check-skip-merge-queue.outputs.skip-merge-queue != 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v5 + with: + persist-credentials: false - name: Download actionlint id: download-actionlint run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/914e7df21a07ef503a81201c76d2b11c789d3fca/scripts/download-actionlint.bash) 1.7.12 shell: bash - name: Check workflow files - run: ${{ steps.download-actionlint.outputs.executable }} -color + run: | + "$ACTIONLINT" -color shell: bash + env: + ACTIONLINT: ${{ steps.download-actionlint.outputs.executable }} analyse-code: name: Analyse code @@ -87,6 +100,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v5 + with: + persist-credentials: false - name: Check release if: github.event_name != 'push' uses: ./.github/actions/check-release diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 1c627de3e7..0fe6b07a3f 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -21,9 +21,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Build run: yarn build @@ -43,9 +44,10 @@ jobs: needs: build steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Restore build artifacts uses: actions/download-artifact@v7 @@ -67,9 +69,10 @@ jobs: id-token: write steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - name: Restore build artifacts uses: actions/download-artifact@v7 @@ -88,9 +91,10 @@ jobs: needs: publish-npm steps: - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: true + persist-credentials: false ref: ${{ github.sha }} - uses: MetaMask/action-publish-release@v3 env: diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 5cdee87881..1901fea876 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -12,14 +12,15 @@ on: - ready_for_review permissions: - contents: write - pull-requests: write + contents: read jobs: is-fork: name: Determine whether this PR is from a fork if: (github.event_name == 'pull_request_target' && !github.event.pull_request.draft) || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) runs-on: ubuntu-latest + permissions: + pull-requests: read outputs: is-fork: ${{ steps.is-fork.outputs.is-fork }} steps: @@ -38,6 +39,9 @@ jobs: if: needs.is-fork.outputs.is-fork == 'false' runs-on: ubuntu-latest environment: default-branch + permissions: + contents: read + pull-requests: read outputs: is-release: ${{ steps.is-release.outputs.IS_RELEASE }} head-sha: ${{ steps.pr-info.outputs.pr-head-sha }} @@ -62,6 +66,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 + persist-credentials: false ref: ${{ steps.pr-info.outputs.pr-head-sha }} - name: Get merge base @@ -104,6 +109,8 @@ jobs: pull_requests: write - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: React to the comment run: | gh api \ @@ -140,6 +147,7 @@ jobs: with: ref: ${{ needs.is-release.outputs.merge-base }} token: ${{ steps.get-token.outputs.token }} + persist-credentials: false - name: Detach HEAD (to prevent accidental pushes) run: git checkout --detach HEAD @@ -207,11 +215,12 @@ jobs: NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }} PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} + TOKEN: ${{ steps.get-token.outputs.token }} run: | if [[ -n "$NEW_COMMIT_ID" ]]; then git checkout "$PR_HEAD_SHA" git cherry-pick "$NEW_COMMIT_ID" - git push origin "HEAD:$PR_HEAD_REF" + git push "https://x-access-token:${TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:$PR_HEAD_REF" echo "changes-pushed=true" >> "$GITHUB_OUTPUT" else echo "changes-pushed=false" >> "$GITHUB_OUTPUT" diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 113a076267..88f67d6cc2 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -2,6 +2,13 @@ # https://docs.zizmor.sh/configuration/ rules: + dangerous-triggers: + ignore: + # `pull_request_target` is used safely here: The workflow checks whether + # the PR is from a fork before running, and write access is gated behind + # the `default-branch` environment. + - update-changelogs.yml:3:1 + unpinned-uses: config: policies: From 29b60f41fca2e5b6b0752eb18b7d85fd1bee3a7a Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:14:26 +0200 Subject: [PATCH 3/8] Add Zizmor action --- .github/workflows/lint-build-test.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index 3fb453295c..d3b3d57804 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -60,6 +60,24 @@ jobs: exit 1 fi + lint-workflows: + name: Lint workflows + runs-on: ubuntu-latest + strategy: + matrix: + node-version: [24.x] + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + persist-credentials: false + - name: Lint workflows + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d + with: + advanced-security: false + annotations: true + version: v1.25.2 + validate-changelog: name: Validate changelog runs-on: ubuntu-latest From ad1e873e547c815147a1f2fd94971b3db5c47d0b Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:33:39 +0200 Subject: [PATCH 4/8] Remove Node version matrix from lint-workflows job --- .github/workflows/lint-build-test.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index d3b3d57804..13ef701b54 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -63,9 +63,6 @@ jobs: lint-workflows: name: Lint workflows runs-on: ubuntu-latest - strategy: - matrix: - node-version: [24.x] steps: - name: Checkout repository uses: actions/checkout@v6 From b1c5c63d34b92cc096594501053b7b312f769787 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:35:35 +0200 Subject: [PATCH 5/8] Add cooldown to Dependabot updates --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bcdf02f2d0..2e534de781 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: directory: '/' schedule: interval: 'daily' + cooldown: + default-days: 3 allow: - dependency-name: '@metamask/*' versioning-strategy: 'increase' @@ -16,6 +18,8 @@ updates: schedule: interval: 'daily' time: '06:00' + cooldown: + default-days: 3 allow: - dependency-name: 'MetaMask/*' - dependency-name: 'actions/*' From 5d7f60f3784664141c35cf8301ad68f1d895c13f Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:39:53 +0200 Subject: [PATCH 6/8] Configure minimum Dependabot cooldown in Zizmor config --- .github/zizmor.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 88f67d6cc2..f21fe080f5 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -9,6 +9,11 @@ rules: # the `default-branch` environment. - update-changelogs.yml:3:1 + dependabot-cooldown: + config: + # Change the minimum allowed cooldown period for Dependabot to 3 days. + days: 3 + unpinned-uses: config: policies: From 73a9ee218752894b7870dddb719b1af4e00aeee2 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:50:44 +0200 Subject: [PATCH 7/8] Enable force-setup in `action-checkout-and-setup@v3` --- .github/workflows/lint-build-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint-build-test.yml b/.github/workflows/lint-build-test.yml index 13ef701b54..d792410afc 100644 --- a/.github/workflows/lint-build-test.yml +++ b/.github/workflows/lint-build-test.yml @@ -20,6 +20,7 @@ jobs: persist-credentials: false cache-node-modules: true node-version: ${{ matrix.node-version }} + force-setup: true - name: Fetch workspace package names id: workspace-package-names run: | From 8c3e3a11031834edc059f26e334b06732eb2a7de Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Tue, 9 Jun 2026 11:58:58 +0200 Subject: [PATCH 8/8] Remove unnecessary checkout step --- .github/workflows/update-changelogs.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 1901fea876..e42c107198 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -107,10 +107,6 @@ jobs: permissions: | contents: write pull_requests: write - - name: Checkout repository - uses: actions/checkout@v6 - with: - persist-credentials: false - name: React to the comment run: | gh api \