# ADR 049: Zizmor & actionlint (GitHub Actions Security)

- HTML version: https://robbiepalmer.me/projects/recipe-site/adrs/046-zizmor
- Project: Recipe Site (https://robbiepalmer.me/projects/recipe-site.md)
- Status: Accepted
- Date: 2026-06-27
- Inherited from project: personal-site (https://robbiepalmer.me/projects/personal-site/adrs/049-zizmor.md)

# Additional Context for Recipe Site

The recipe site is where the workflow-security risk concentrates. The
preview-environment workflows provision a per-PR Neon Postgres branch and an
isolated Cloudflare Worker for the backend (`workers/recipe-api`), so they handle
Neon and Cloudflare secrets on pull requests. That makes the trigger model,
`GITHUB_ENV` use, and least-privilege permissions zizmor checks matter most for
the recipe site's CI.

## Notes for Recipe Site

# Additional Context for Recipe Site

The recipe site is where the workflow-security risk concentrates. The
preview-environment workflows provision a per-PR Neon Postgres branch and an
isolated Cloudflare Worker for the backend (`workers/recipe-api`), so they handle
Neon and Cloudflare secrets on pull requests. That makes the trigger model,
`GITHUB_ENV` use, and least-privilege permissions zizmor checks matter most for
the recipe site's CI.

---

Markdown index of this site: https://robbiepalmer.me/llms.txt