A detailed walkthrough of hardening GitHub Actions workflows in PHPUnit, covering five classes of security weaknesses found by the static analyzer zizmor. Topics include: template injection via `${{ }}` expressions enabling Poisoned Pipeline Execution, credential persistence from `actions/checkout` writing tokens to disk, unpinned action references vulnerable to tag-moving attacks (as seen in the tj-actions/changed-files compromise), overly broad GITHUB_TOKEN permissions, and unnecessary third-party actions expanding the attack surface. Each finding is explained with an exploit scenario and a concrete fix, plus guidance on when to suppress a finding with documented justification rather than removing a necessary trigger.
Table of contents
Script injection via template expansionCredential persistence after checkoutUnpinned action referencesOverly broad permissionsUnnecessary third-party actionsDangerous triggers and the art of the suppressionzizmorSort: