Skip to content

feat(security): improve GHA security #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jfagoagas merged 7 commits into from
Mar 24, 2026
+81 −11
Merged

feat(security): improve GHA security #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2e4c9c1
feat(security): improve GHA security
jfagoagas Mar 23, 2026
838d3ea
fix: comment ref
jfagoagas Mar 23, 2026
7bd31a8
fix(security): split zizmor job for PR and push events
andoniaf Mar 23, 2026
e315c6c
fix(security): update pypa/gh-action-pypi-publish to v1.13.0
andoniaf Mar 23, 2026
451c7dd
chore: ignore safety vuln
jfagoagas Mar 24, 2026
d6f2270
chore: dependabot cooldown
jfagoagas Mar 24, 2026
f49bd59
chore: ignore secret
jfagoagas Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,12 @@ updates:
labels:
- "dependencies"
- "pip"
cooldown:
default-days: 7
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
target-branch: main
cooldown:
default-days: 7
18 changes: 12 additions & 6 deletions .github/workflows/pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install poetry
run: |
Expand Down Expand Up @@ -68,11 +70,15 @@ jobs:

- name: Safety
run: |
if [ "${{ matrix.python-version }}" = "3.9" ] || [ "${{ matrix.python-version }}" = "3.10" ]; then
poetry run safety check --ignore 82754 --ignore 84183 --ignore 83159
else
poetry run safety check
fi
# 82754: filelock TOCTOU symlink (CVE-2025-68146), fix requires Python >=3.10
# 84183: filelock lock mechanism (PVE-2026-84183), fix requires Python >=3.10
# 83159: marshmallow data conversion (CVE-2025-68480), fix requires Python >=3.10
# 84415: filelock TOCTOU race condition (CVE-2026-22701), fix requires Python >=3.10
poetry run safety check \
--ignore 82754 \
--ignore 84183 \
--ignore 83159 \
--ignore 84415

- name: Vulture
run: |
Expand All @@ -85,5 +91,5 @@ jobs:
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
token: ${{ secrets.CODECOV_TOKEN }}
token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
slug: prowler-cloud/py-ocsf-models
12 changes: 7 additions & 5 deletions .github/workflows/pypi-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,23 @@ on:
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
PYTHON_VERSION: 3.11
# CACHE: "poetry"

jobs:
release:
runs-on: ubuntu-latest
environment: release
permissions:
contents: read
id-token: write
env:
POETRY_VIRTUALENVS_CREATE: "false"

name: Release py-ocsf-models to PyPI
steps:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install dependencies
run: |
Expand All @@ -30,13 +35,10 @@ jobs:
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ env.PYTHON_VERSION }}
# cache: ${{ env.CACHE }}

- name: Build package
run: |
poetry build

- name: Publish package to PyPI
run: |
poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
poetry publish
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
52 changes: 52 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: GitHub Actions Security Analysis

on:
push:
branches:
- "main"
paths:
- ".github/workflows/**"
pull_request:
branches:
- "main"
paths:
- ".github/workflows/**"

permissions: {}

jobs:
zizmor-pr:
name: Run zizmor (PR)
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: "false"
annotations: "true"

zizmor-push:
name: Run zizmor (push)
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
6 changes: 6 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,9 @@ repos:
entry: bash -c 'vulture --exclude "contrib" --min-confidence 100 .'
language: system
files: '.*\.py'

## GITHUB ACTIONS
- repo: https://github.com/zizmorcore/zizmor-pre-commit
rev: v1.23.1
hooks:
- id: zizmor
Loading