Harden security (#137)

* Add Zizmor as a pre-commit hook

* Pin all reusable actions

* Fix template injection, drop credential persistence

* Address all other issues

Author: agriyakhetarpal

.github/workflows/build.yml

@@ -10,16 +10,23 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   lint-and-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    name: "Lint and Test"
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
     - name: Base Setup
-      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
 
     - name: Install dependencies
       run: python -m pip install -U "jupyterlab>=4.0.0,<5"
@@ -36,20 +43,23 @@ jobs:
         jlpm run test
 
   build:
+    name: Build JupyterLite extension
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
     - name: Base Setup
-      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
 
     - name: Install dependencies
       run: python -m pip install -U "jupyterlab>=4.0.0,<5"
 
     - name: Restore Playwright browsers cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: /home/runner/.cache/ms-playwright
         key: playwright-browsers-${{ runner.os }}-v1
@@ -74,29 +84,35 @@ jobs:
         pip uninstall -y "jupytereverywhere" jupyterlab
 
     - name: Upload extension packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: extension-artifacts
         path: dist/jupytereverywhere*
         if-no-files-found: error
 
   lite:
+    name: Build JupyterLite app
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
     - name: Setup Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.11'
 
     - name: Install micromamba
       uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5
 
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: extension-artifacts
 
@@ -123,14 +139,14 @@ jobs:
         jlpm build:all
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: lite-app
         path: ./dist
         if-no-files-found: error
 
     - name: Upload GitHub Pages artifact
-      uses: actions/upload-pages-artifact@v3
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
       with:
         path: ./dist
 
@@ -146,7 +162,7 @@ jobs:
 
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: lite-app-test
         path: ./dist-test
@@ -168,6 +184,7 @@ jobs:
         echo 'Press ctrl + c to stop the server.' >> $GITHUB_STEP_SUMMARY
 
   deploy:
+    name: Deploy to GitHub Pages and Netlify
     needs: lite
     if: github.ref == 'refs/heads/main'
     permissions:
@@ -182,7 +199,7 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
 
   deploy-netlify:
     needs: lite
@@ -191,13 +208,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download lite app
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: lite-app
           path: dist
 
       - name: Publish to Netlify
-        uses: netlify/actions/cli@3185065f4ab2f6df6f2ef41ee013626e1c02a426
+        uses: netlify/actions/cli@3185065f4ab2f6df6f2ef41ee013626e1c02a426 # 3185065f4ab2f6df6f2ef41ee013626e1c02a426
         with:
           args: deploy --dir=dist --prod
         env:
@@ -206,16 +223,17 @@ jobs:
 
 
   test_isolated:
+    name: Isolated extension test
     needs: build
     runs-on: ubuntu-latest
 
     steps:
     - name: Install Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: '3.9'
         architecture: 'x64'
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: extension-artifacts
     - name: Install and Test
@@ -242,13 +260,15 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
     - name: Base Setup
-      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
 
     - name: Download lite app (test mode)
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: lite-app-test
         path: dist
@@ -266,7 +286,7 @@ jobs:
       run: jlpm install
 
     - name: Set up browser cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: |
           ${{ github.workspace }}/pw-browsers
@@ -283,7 +303,7 @@ jobs:
 
     - name: Upload Playwright Test report
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: jupytereverywhere-playwright-tests
         path: |

.github/workflows/check-release.yml

@@ -9,22 +9,29 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check_release:
+    name: Check Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
       - name: Base Setup
-        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
       - name: Check Release
-        uses: jupyter-server/jupyter_releaser/.github/actions/check-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/check-release@6accaa3c07b69acaa1e14e00ba138133d8cbe879 # v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           steps_to_skip: build-changelog
 
       - name: Upload Distributions
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: jupytereverywhere-releaser-dist-${{ github.run_number }}
           path: .jupyter_releaser_checkout/dist

.github/workflows/enforce-label.yml

@@ -1,13 +1,16 @@
 name: Enforce PR label
 
+permissions: {}
+
 on:
   pull_request:
     types: [labeled, unlabeled, opened, edited, synchronize]
 jobs:
   enforce-label:
+    name: Enforce labels on PRs
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
       - name: enforce-triage-label
-        uses: jupyterlab/maintainer-tools/.github/actions/enforce-label@v1
+        uses: jupyterlab/maintainer-tools/.github/actions/enforce-label@affc83be6020d529b9368cd4d63e467877606600 # v1

.github/workflows/prep-release.yml

@@ -23,17 +23,21 @@ on:
         description: "Use PRs with activity since the last stable git tag"
         required: false
         type: boolean
+
+permissions: {}
+
 jobs:
   prep_release:
+    name: "Prep Release"
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
 
       - name: Prep Release
         id: prep-release
-        uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@6accaa3c07b69acaa1e14e00ba138133d8cbe879 # v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version_spec: ${{ github.event.inputs.version_spec }}
@@ -45,4 +49,6 @@ jobs:
 
       - name: "** Next Step **"
         run: |
-          echo "Optional): Review Draft Release: ${{ steps.prep-release.outputs.release_url }}"
+          echo "Optional): Review Draft Release: ${STEPS_PREP_RELEASE_OUTPUTS_RELEASE_URL}"
+        env:
+          STEPS_PREP_RELEASE_OUTPUTS_RELEASE_URL: ${{ steps.prep-release.outputs.release_url }}

.github/workflows/publish-release.yml

@@ -12,24 +12,28 @@ on:
         description: "Comma separated list of steps to skip"
         required: false
 
+permissions: {}
+
 jobs:
   publish_release:
+    name: "Publish Release"
     runs-on: ubuntu-latest
     environment: release
     permissions:
+      contents: write
       id-token: write
     steps:
-      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@affc83be6020d529b9368cd4d63e467877606600 # v1
 
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
         id: app-token
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       - name: Populate Release
         id: populate-release
-        uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@6accaa3c07b69acaa1e14e00ba138133d8cbe879 # v2
         with:
           token: ${{ steps.app-token.outputs.token }}
           branch: ${{ github.event.inputs.branch }}
@@ -40,7 +44,7 @@ jobs:
         id: finalize-release
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@6accaa3c07b69acaa1e14e00ba138133d8cbe879 # v2
         with:
           token: ${{ steps.app-token.outputs.token }}
           release_url: ${{ steps.populate-release.outputs.release_url }}
@@ -49,10 +53,14 @@ jobs:
         if: ${{ success() }}
         run: |
           echo "Verify the final release"
-          echo ${{ steps.finalize-release.outputs.release_url }}
+          echo ${STEPS_FINALIZE_RELEASE_OUTPUTS_RELEASE_URL}
+        env:
+          STEPS_FINALIZE_RELEASE_OUTPUTS_RELEASE_URL: ${{ steps.finalize-release.outputs.release_url }}
 
       - name: "** Failure Message **"
         if: ${{ failure() }}
         run: |
           echo "Failed to Publish the Draft Release Url:"
-          echo ${{ steps.populate-release.outputs.release_url }}
+          echo ${STEPS_POPULATE_RELEASE_OUTPUTS_RELEASE_URL}
+        env:
+          STEPS_POPULATE_RELEASE_OUTPUTS_RELEASE_URL: ${{ steps.populate-release.outputs.release_url }}