Skip to main content

Security

In the following, we'll discuss some security considerations when using the release-plz GitHub action and how to mitigate them.

Using latest version

The examples provided in the documentation use the latest version of the release-plz GitHub action.

For example, the following snippet uses the v0.5 version of the release-plz GitHub action:

jobs:
  release-plz:
    name: Release-plz
    runs-on: ubuntu-latest
    steps:
      - ...
      - name: Run release-plz
        uses: release-plz/[email protected]

This script updates this tag to whatever the latest 0.5.x version is. This means that if the latest version of release-plz is 0.5.34, with v0.5 you will use that version. If tomorrow, release-plz 0.5.35 is released, you will use that version without the need to update your workflow file.

While this is great for new features and bug fixes, it can also be a security risk.

⚠️ Risk: malicious code published on your crates.io crate

An attacker who manages to push and tag malicious code to the GitHub action repository could use your cargo registry token to push malicious code to your crate on crates.io. This means you or your users could download and run the malicious code.

✅ Solution: pin the action version

To mitigate this risk, you can use a specific version of the release-plz GitHub action. By specifying a commit hash, the action won't be updated automatically.

For example:

jobs:
  release-plz:
    name: Release-plz
    runs-on: ubuntu-latest
    steps:
      - ...
      - name: Run release-plz
        uses: release-plz/action@63ab0c2746bedc448370bad4b0b3d536458398b0 # v0.5.50

This is the same approach used in the crates.io repository.

zizmor warning

zizmor is a static analysis tool for GitHub Actions. When you run it on the release-plz workflow, it will emit the artipacked warning:

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/release-plz.yml:24:9
   |
24 |         - name: Checkout repository
   |  _________-
25 | |         uses: actions/checkout@v4
26 | |         with:
27 | |           fetch-depth: 0
   | |________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

This warning is emitted because the actions/checkout action does not set persist-credentials: false in the with section.

Unfortunately, persist-credentials needs to be set to true (which is the default) for the release-plz action to work because release-plz needs the token generated by the actions/checkout action to run git commands like git tag and git push.

To solve the warning, set persist-credentials: true in the with section of the actions/checkout action:

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: true