From ea078028fafd5f532ab6358653fad8a34ac9b814 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 19:05:24 -0400 Subject: [PATCH 1/3] CI: harden GHA configuration This adjusts the defaults per suggestions of zizmor to reduce possible risks from giving GHA tasks more permissions that required. --- .github/workflows/docs.yml | 2 ++ .github/workflows/flake8.yml | 2 ++ .github/workflows/publish-docs.yml | 3 ++- .github/workflows/python-publish.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 4249a85..f135f5e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,6 +14,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index 25dabb3..dec2734 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -10,6 +10,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 7382c4b..dd27848 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -26,7 +26,8 @@ jobs: - uses: actions/checkout@v2 with: - fetch-depth: 1000 # should be enough to reach the most recent tag + fetch-depth: 1000 + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 66dc760..f0057e9 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -14,6 +14,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 05189ad..e453426 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: From f3447dc89024c5e07034f658b76f673184239166 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 20:25:33 -0400 Subject: [PATCH 2/3] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/docs.yml | 2 ++ .github/workflows/flake8.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f135f5e..1d6153d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Documentation +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index dec2734..ed14cd7 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -1,4 +1,6 @@ name: Check Code Style +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index e453426..377e3a6 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Unit Tests +permissions: + contents: read on: [push, pull_request] From a429996292d776b94d11ad0be2fb81a360793f77 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 21:10:18 -0400 Subject: [PATCH 3/3] STY: update whitespace in yaml --- .github/workflows/publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index dd27848..27c0a63 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -52,7 +52,7 @@ jobs: - name: Deploy documentation # We pin to the SHA, not the tag, for security reasons. # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions - uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 + uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 with: deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }} publish_branch: master