You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
github.ref_name may expand into attacker-controllable code
205
205
206
-
You can also set up `zizmor` as a pre-commit hook. pyOpenSci plans to do this in the near future, but here is an example of it [setup for core Python](https://github.com/python/cpython/pull/127749/files#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9R64).
206
+
You can also set up `zizmor` as a pre-commit hook. pyOpenSci plans to do this in the near future, but here is an example of it [set up for core Python](https://github.com/python/cpython/pull/127749/files#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9R64).
207
207
208
-
Pre-commit hooks run checks every time you commit a file to git history. [Learn more about using them here.](https://www.pyopensci.org/python-package-guide/package-structure-code/code-style-linting-format.html#use-pre-commit-hooks-to-run-code-formatters-and-linters-on-commits)
208
+
Pre-commit hooks run checks every time you commit a file to Git history. [Learn more about using them here.](https://www.pyopensci.org/python-package-guide/package-structure-code/code-style-linting-format.html#use-pre-commit-hooks-to-run-code-formatters-and-linters-on-commits)
209
209
210
210
211
211
212
212
## Other security measures you can consider
213
213
214
-
There are other things that we can learn too from the recent breach. Many of htese will be identified if you setup zizmor. These are discussed below.
214
+
There are other things that we can learn too from the recent breach. Many of these will be identified if you set up zizmor. These are discussed below.
215
215
216
216
217
217
### Sanitize branch names in your workflow
@@ -242,7 +242,7 @@ To prevent this, [sanitize or clean](https://docs.github.com/en/get-started/usin
242
242
remove unsafe characters:
243
243
244
244
245
-
```
245
+
```yaml
246
246
jobs:
247
247
example-job:
248
248
runs-on: ubuntu-latest
@@ -267,7 +267,7 @@ Also consider:
267
267
268
268
### 🚫 Avoid `pull_request_target` and consider release-based workflows
269
269
270
-
A trigger event in a GitHub action is an event that sets off an action to run. For instance, you might have a trigger that runs a linter like Black or Ruff when a new pull request is opened.
270
+
A trigger event in a GitHub Action is an event that sets off an action to run. For instance, you might have a trigger that runs a linter like Black or Ruff when a new pull request is opened.
271
271
272
272
The [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) trigger event in GitHub Actions that Ultralytics used allows workflows to run with elevated permissions on the base branch, even when triggered by changes from a fork. Thus, your workflow becomes vulnerable when used as a trigger to push a release to PyPI.
273
273
@@ -276,7 +276,7 @@ Instead of a pull_request_target or a pull_request, consider adopting a **releas
276
276
- Triggers publication workflows only on new versioned releases. You can lock down which maintainers are allowed to create releases using GitHub permissions
277
277
- Ensure workflows related to publishing are explicitly scoped to `release` events.
278
278
279
-
In the example GitHub action .yaml file below, you see a `release` trigger defined. This tells the action to only trigger the workflow when you publish a release.
279
+
In the example GitHub Action `.yaml` file below, you see a `release` trigger defined. This tells the action to only trigger the workflow when you publish a release.
0 commit comments