From a65e0eec9443f1dfa4f9f4a6f21e1a31c8023b1d Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 21:01:41 -0400 Subject: [PATCH 1/5] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/check-test-coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml index 5349300..49a57c4 100644 --- a/.github/workflows/check-test-coverage.yml +++ b/.github/workflows/check-test-coverage.yml @@ -23,7 +23,7 @@ jobs: export MPL_IMGCOMP_TOLERANCE=20 coverage run -m pytest --mpl --doctest-glob="probscale/*.py" --cov-report=xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v1 + uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # v1 with: # directory: ./coverage/reports/ flags: unittests From f6370995544c269cf630d46613b3b2a774bd2fe1 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:06:47 -0400 Subject: [PATCH 2/5] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/black.yml | 2 ++ .github/workflows/check-test-coverage.yml | 2 ++ .github/workflows/python-publish.yml | 2 ++ .github/workflows/python-runlinter.yml | 2 ++ .github/workflows/python-runtests-all.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index f9edcea..34d979c 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -7,4 +7,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + persist-credentials: false - uses: psf/black@stable diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml index 49a57c4..533accf 100644 --- a/.github/workflows/check-test-coverage.yml +++ b/.github/workflows/check-test-coverage.yml @@ -10,6 +10,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index c2d12c0..8d5ca4b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -14,6 +14,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/python-runlinter.yml b/.github/workflows/python-runlinter.yml index 1a27d2f..057b86f 100644 --- a/.github/workflows/python-runlinter.yml +++ b/.github/workflows/python-runlinter.yml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/python-runtests-all.yml b/.github/workflows/python-runtests-all.yml index 6eecd68..05c4115 100644 --- a/.github/workflows/python-runtests-all.yml +++ b/.github/workflows/python-runtests-all.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: From f89172e699da83e1765642079dc525d55ceb5cb6 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:19:31 -0400 Subject: [PATCH 3/5] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/black.yml | 2 ++ .github/workflows/check-test-coverage.yml | 2 ++ .github/workflows/python-publish.yml | 2 ++ .github/workflows/python-runlinter.yml | 2 ++ .github/workflows/python-runtests-all.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index 34d979c..62f41ff 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,4 +1,6 @@ name: Lint with Black +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/check-test-coverage.yml b/.github/workflows/check-test-coverage.yml index 533accf..342166a 100644 --- a/.github/workflows/check-test-coverage.yml +++ b/.github/workflows/check-test-coverage.yml @@ -1,4 +1,6 @@ name: Coverage (with doctests) +permissions: + contents: read on: push: branches: [ master ] diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 8d5ca4b..67922bb 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -2,6 +2,8 @@ # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries name: Publish Python Package +permissions: + contents: read on: release: diff --git a/.github/workflows/python-runlinter.yml b/.github/workflows/python-runlinter.yml index 057b86f..c99fda8 100644 --- a/.github/workflows/python-runlinter.yml +++ b/.github/workflows/python-runlinter.yml @@ -2,6 +2,8 @@ # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions name: Lint with flake8 +permissions: + contents: read on: push: diff --git a/.github/workflows/python-runtests-all.yml b/.github/workflows/python-runtests-all.yml index 05c4115..35db319 100644 --- a/.github/workflows/python-runtests-all.yml +++ b/.github/workflows/python-runtests-all.yml @@ -2,6 +2,8 @@ # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions name: Run units test (w/ img comps) +permissions: + contents: read on: push: From c5d1b32b7ce01989ef942acce9c51832b87fa34c Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:34:22 -0400 Subject: [PATCH 4/5] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/black.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index 62f41ff..e67f0bf 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -11,4 +11,4 @@ jobs: - uses: actions/checkout@v3 with: persist-credentials: false - - uses: psf/black@stable + - uses: psf/black@8a737e727ac5ab2f1d4cf5876720ed276dc8dc4b # 25.1.0 From 2ea393c04398e683b58c9f0f37c0384cab3eddef Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:55 -0400 Subject: [PATCH 5/5] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly