ci: harden workflows (#345)

woodruffw · web-flow · commit 5200de89141a · 2024-12-17T08:10:33.000+08:00
* ci: harden workflows This hash-pins all of our workflows and fixes some (low-impact) zizmor findings. It also adds a `zizmor` workflow that'll run on pushes and PRs to prevent issues from sneaking in. Signed-off-by: William Woodruff <william@yossarian.net> * ci: zizmor: fix hash pin See stacklok/frizbee#206. Signed-off-by: William Woodruff <william@yossarian.net> --------- Signed-off-by: William Woodruff <william@yossarian.net>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,9 +19,11 @@ jobs:
       contents: write
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      with:
+        persist-credentials: false
 
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
       with:
         python-version: "3.x"
 
@@ -32,5 +34,5 @@ jobs:
       run: python -m build
 
     - name: publish
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # release/v1
 
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -20,11 +20,15 @@ jobs:
         os: ["macos-latest", "windows-latest", "ubuntu-latest"]
 
     steps:
-      - uses: "actions/checkout@v4"
-      - uses: "actions/setup-python@v5"
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
         with:
           python-version: "${{ matrix.python-version }}"
           allow-prereleases: true
+
       - name: "Install dependencies"
         run: |
           python -VV
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@faa06bd0c3efe9bf73685e4489e70f0f552edc63 # v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
