Set permissions; do not persist credentials.

[BigBlueHat]

No description provided.

[BigBlueHat]

@PatStLouis could you run zizmor locally and address the last two remaining concerns there? I'm less familiar with how you have this setup and what the cache needs are for this action. Thanks!

[PatStLouis]

Caching in regards to docker is mostly for optimization. Here's the relevant documentation:
https://docs.docker.com/build/cache/optimize/

I can have a look at the tool you provided. I also see 2 comments in the docker file linking to gh issues, I can look at the status of these since its been some time this action has been created.

[PatStLouis]

@BigBlueHat I had a quick read through this guide outlining caching exploits
https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/

In the case of gh action builds, the only recommendations seems to be to avoid caching for the time being.

I've removed the steps that used caching. For this use case, I think its fair to say the impact would be minimal. This action is only triggered on a release and the impact will be a slower build time, which is fine as this is a small image.

[PatStLouis]

Looks good to me