From 789dc98f7748c3461fad02608fad327afb8c96c3 Mon Sep 17 00:00:00 2001 From: Oleg Date: Sat, 8 Mar 2025 09:21:05 +0100 Subject: [PATCH 1/5] Add zizmor pre-commit hook --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0999049..9ca8d1a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -14,6 +14,10 @@ repos: - id: mixed-line-ending args: [--fix, lf] - id: trailing-whitespace + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.4.1 + hooks: + - id: zizmor # test harness specific hooks - repo: https://github.com/dustinsand/pre-commit-jvm From d2ee53e1e553ccbecfefad8d0af9bfb09be3274e Mon Sep 17 00:00:00 2001 From: Oleg Date: Sat, 8 Mar 2025 09:23:36 +0100 Subject: [PATCH 2/5] Disable all permissions by default --- .github/workflows/build-all.yml | 2 ++ .github/workflows/build.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 3167aed..3a0ef8e 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -6,6 +6,8 @@ on: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} +permissions: {} + jobs: versions: runs-on: ubuntu-latest diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eed4251..31bac52 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,8 @@ concurrency: group: images-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: meta: runs-on: ubuntu-latest From 74807612b1c62c1848978c1e93a05a17e65da032 Mon Sep 17 00:00:00 2001 From: Oleg Date: Sat, 8 Mar 2025 09:26:02 +0100 Subject: [PATCH 3/5] Do not persist credential on checkout --- .github/workflows/build-all.yml | 2 ++ .github/workflows/build.yml | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 3a0ef8e..cd66fb1 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -16,6 +16,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true - name: Collect available versions @@ -39,6 +40,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ matrix.revision }} - name: Compute implementation name diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31bac52..2ec2857 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,8 @@ jobs: implementation-name: ${{ steps.impl.outputs.name }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install bowtie uses: bowtie-json-schema/bowtie@main @@ -56,6 +58,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install bowtie uses: bowtie-json-schema/bowtie@main From 318220ec3299667d3b7437346c359eee02c9477a Mon Sep 17 00:00:00 2001 From: Oleg Date: Sat, 8 Mar 2025 09:36:49 +0100 Subject: [PATCH 4/5] Defend against template injection --- .github/workflows/build-all.yml | 23 +++++++++++++++++------ .github/workflows/build.yml | 33 ++++++++++++++++++++++++--------- 2 files changed, 41 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index cd66fb1..f26c381 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -45,7 +45,9 @@ jobs: - name: Compute implementation name id: impl - run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + env: + GH_REPOSITORY: ${{ github.repository }} + run: echo "name=$(echo '${GH_REPOSITORY}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Install bowtie uses: bowtie-json-schema/bowtie@main @@ -69,20 +71,26 @@ jobs: echo "DOCKER_HOST=unix://$(podman info --format '{{.Host.RemoteSocket.Path}}')" >> $GITHUB_ENV - name: Smoke Test + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY - name: Collect current version id: current-version + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | version=$(bowtie info \ - --implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \ + --implementation "localhost/${IMAGE_WITH_TAG}" \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT - name: Print collected version - run: echo "current_version=${{ steps.current-version.outputs.value }}" + env: + CURRENT_VERSION: ${{ steps.current-version.outputs.value }} + run: echo "current_version=${CURRENT_VERSION}" - name: Log in to ghcr.io uses: redhat-actions/podman-login@v1 @@ -92,7 +100,10 @@ jobs: registry: ${{ env.IMAGE_REGISTRY }} - name: Add tag with version to the image - run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }} + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} + IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}" + run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION} - name: Publish id: push diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2ec2857..ade4028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,13 +32,17 @@ jobs: - name: Compute implementation name id: impl - run: echo "name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + env: + GH_REPOSITORY: ${{ github.repository }} + run: echo "name=$(echo '${GH_REPOSITORY}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Compute latest implementation version id: version + env: + IMPL_NAME: ${{ steps.impl.outputs.name }} run: | version=$(bowtie info \ - --implementation ${{ steps.impl.outputs.name }} \ + --implementation ${IMPL_NAME} \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT @@ -88,20 +92,27 @@ jobs: enable-cache: true - name: Smoke Test + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format json - bowtie smoke -i "localhost/${{ steps.build_image.outputs.image-with-tag }}" --format markdown >> $GITHUB_STEP_SUMMARY + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format json + bowtie smoke -i "localhost/${IMAGE_WITH_TAG}" --format markdown >> $GITHUB_STEP_SUMMARY - name: Collect current version id: current-version + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} run: | version=$(bowtie info \ - --implementation "localhost/${{ steps.build_image.outputs.image-with-tag }}" \ + --implementation "localhost/${IMAGE_WITH_TAG}" \ --format json | jq -r '.version // empty') echo "value=${version}" >> $GITHUB_OUTPUT - name: Print collected versions - run: echo "latest_version=${{ needs.meta.outputs.latest-version }}; current_version=${{ steps.current-version.outputs.value }}" + env: + LATEST_VERSION: ${{ needs.meta.outputs.latest-version }} + CURRENT_VERSION: ${{ steps.current-version.outputs.value }} + run: echo "latest_version=${LATEST_VERSION}; current_version=${CURRENT_VERSION}" - name: Log in to ghcr.io uses: redhat-actions/podman-login@v1 @@ -112,7 +123,10 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' - name: Add tag with version to the image - run: podman tag ${{ steps.build_image.outputs.image-with-tag }} ${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }} + env: + IMAGE_WITH_TAG: ${{ steps.build_image.outputs.image-with-tag }} + IMAGE_WITH_VERSION: "${{ steps.build_image.outputs.image }}:${{ steps.current-version.outputs.value }}" + run: podman tag ${IMAGE_WITH_TAG} ${IMAGE_WITH_VERSION} if: github.event_name == 'push' && github.ref == 'refs/heads/main' - name: Publish @@ -144,6 +158,7 @@ jobs: env: TAG: v${{ needs.meta.outputs.latest-version }} COMMIT: ${{ github.event.before }} + GH_REPOSITORY: ${{ github.repository }} steps: @@ -156,7 +171,7 @@ jobs: --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" - /repos/${{ github.repository }}/git/refs + /repos/${GH_REPOSITORY}/git/refs -f "ref=refs/tags/$TAG" -f "sha=$COMMIT" @@ -168,7 +183,7 @@ jobs: --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" - /repos/${{ github.repository }}/releases + /repos/${GH_REPOSITORY}/releases -f "tag_name=$TAG" -f "name=$TAG" -f "body=Automatic release for $TAG" From 1fd50d1fcbf6a2f3de75f6b2b351aeaea985e2eb Mon Sep 17 00:00:00 2001 From: Oleg Date: Sat, 8 Mar 2025 09:40:08 +0100 Subject: [PATCH 5/5] Correct shell interpolation --- .github/workflows/build-all.yml | 2 +- .github/workflows/build.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index f26c381..d754018 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -47,7 +47,7 @@ jobs: id: impl env: GH_REPOSITORY: ${{ github.repository }} - run: echo "name=$(echo '${GH_REPOSITORY}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Install bowtie uses: bowtie-json-schema/bowtie@main diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ade4028..f6d8117 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: id: impl env: GH_REPOSITORY: ${{ github.repository }} - run: echo "name=$(echo '${GH_REPOSITORY}' | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT + run: echo "name=$(echo ${GH_REPOSITORY} | awk -F '/' '{print $2}')" >> $GITHUB_OUTPUT - name: Compute latest implementation version id: version