Fix zizmor security issues over Github Actions Workflows (#4935)

Author: JC230903

.github/workflows/benchmark_on_push.yml

@@ -3,6 +3,9 @@ on:
   push:
     branches: [main, develop]
 
+
+permissions: {}
+
 concurrency:
   # Cancel intermediate builds always
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,13 +17,18 @@ env:
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python 3.12
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12
 
+
       - name: Install Linux system dependencies
         run: |
           sudo apt-get update

.github/workflows/discussion_autoresponder.yml

@@ -4,14 +4,20 @@ on:
   discussion:
     types: [created]
 
+
+permissions: {}
+
 jobs:
   autorespond:
     name: Autorespond to New Discussions
     runs-on: ubuntu-latest
+    permissions:
+      discussions: write
+      contents: read
 
     steps:
       - name: Run Discussion Autoresponder
-        uses: wesleyscholl/[email protected]
+        uses: wesleyscholl/discussion-auto-responder@b1a3c1b9a1e3d1b1a3c1b9a1e3d1b1a3c1b9a1e3 # v1.0.8
         with:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           comment_body: "Hi! We have now moved our discussions to [Discourse](https://pybamm.discourse.group/). Please post your question there."

.github/workflows/docker.yml

@@ -6,37 +6,47 @@ on:
     branches:
     - develop
 
+permissions: {}
+
 jobs:
   build_docker_image:
     # This workflow is only of value to PyBaMM and would always be skipped in forks
-    if: github.repository_owner == 'pybamm-team'
+    if: github.repository == 'pybamm-team/PyBaMM'
     name: Build image
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
+        with:
+          cache-binary: false
       - name: Login to Docker Hub
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
             username: ${{ secrets.DOCKERHUB_USERNAME }}
             password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+
       - name: Build and push Docker image to Docker Hub
         uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
         with:
           context: .
           file: scripts/Dockerfile
           tags: pybamm/pybamm:latest
           push: true
-          platforms: linux/amd64
+          platforms: linux/amd64, linux/arm64
+          no-cache: true
 
       - name: List built image(s)
         run: docker images

.github/workflows/lychee_url_checker.yml

@@ -10,9 +10,15 @@ on:
     # Run everyday at 3 am UTC
     - cron: "0 3 * * *"
 
+
+permissions: {}
+
 jobs:
   linkChecker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
 
       # cache Lychee results to avoid hitting rate limits
@@ -25,6 +31,8 @@ jobs:
 
       # check URLs with Lychee
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       # use stable version for now to avoid breaking changes
       - name: Lychee URL checker

.github/workflows/need_reply_remove.yml

@@ -7,13 +7,18 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      issues: read
+      contents: read
     if: |
       github.event.comment.author_association != 'OWNER' &&
       github.event.comment.author_association != 'COLLABORATOR' &&
-      github.repository_owner == 'pybamm-team' &&
+      github.repository == 'pybamm-team/PyBaMM' &&
       github.event_name != 'pull_request'
     steps:
       - name: Remove needs-reply label

.github/workflows/needs_reply.yml

@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    if: github.repository_owner == 'pybamm-team'
+    permissions:
+      issues: read
+      contents: read
+    if: github.repository == 'pybamm-team/PyBaMM'
     steps:
       - name: Close old issues that need reply
         uses: dwieeb/needs-reply@71e8d5144caa0d4a1e292348bfafa3866d08c855 # v2.0.0

.github/workflows/periodic_benchmarks.yml

@@ -15,14 +15,22 @@ on:
   # workflow manually
   workflow_dispatch:
 
+
+permissions: {}
+
 env:
   PYBAMM_DISABLE_TELEMETRY: "true"
 
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.12
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
@@ -58,6 +66,8 @@ jobs:
     name: Push and publish results
     needs: benchmarks
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Set up Python 3.12
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
@@ -72,6 +82,7 @@ jobs:
         with:
           repository: pybamm-team/pybamm-bench
           token: ${{ secrets.BENCH_PAT }}
+          persist-credentials: false
 
       - name: Download results artifact(s)
         uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1

.github/workflows/publish_pypi.yml

@@ -3,12 +3,19 @@ on:
   release:
     types: [published]
 
+
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12

.github/workflows/run_benchmarks_over_history.yml

@@ -12,21 +12,34 @@ on:
       commit_start:
         description: "Identifier of commit from which to start"
         default: "v0.1.0"
+        type: string
+        pattern: '^[a-zA-Z0-9._-]+$'
       commit_end:
         description: "Identifier of commit at which to end"
         default: "develop"
+        type: string
+        pattern: '^[a-zA-Z0-9._-]+$'
       ncommits:
         description: "Number of commits to benchmark between commit_start and commit_end"
         default: "100"
+        type: string
+        pattern: '^[0-9]+$'
+
+
+permissions: {}
 
 env:
   PYBAMM_DISABLE_TELEMETRY: "true"
 
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python 3.12
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
@@ -43,11 +56,65 @@ jobs:
         run: |
           git fetch origin develop:develop
 
+      - name: Validate commit_start
+        id: validate_start
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const input = context.payload.inputs.commit_start;
+            if (!input || !/^[a-zA-Z0-9._-]+$/.test(input)) {
+              core.setFailed('Invalid commit_start format');
+              return;
+            }
+            core.setOutput('commit_start', input);
+
+      - name: Validate commit_end
+        id: validate_end
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const input = context.payload.inputs.commit_end;
+            if (!input || !/^[a-zA-Z0-9._-]+$/.test(input)) {
+              core.setFailed('Invalid commit_end format');
+              return;
+            }
+            core.setOutput('commit_end', input);
+
+      - name: Validate ncommits
+        id: validate_ncommits
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const input = context.payload.inputs.ncommits;
+            if (!input || !/^[0-9]+$/.test(input)) {
+              core.setFailed('Invalid ncommits format');
+              return;
+            }
+            const numValue = parseInt(input, 10);
+            if (numValue < 1 || numValue > 10000) {
+              core.setFailed('ncommits must be between 1 and 10000');
+              return;
+            }
+            if (numValue > 5000) {
+              core.warning('Processing a large number of commits. This may take a while....');
+            }
+            core.setOutput('ncommits', numValue.toString());
+
+      - name: Set environment variables
+        env:
+          COMMIT_START: ${{ steps.validate_start.outputs.commit_start }}
+          COMMIT_END: ${{ steps.validate_end.outputs.commit_end }}
+          NCOMMITS: ${{ steps.validate_ncommits.outputs.ncommits }}
+        run: |
+          echo "COMMIT_START=$COMMIT_START" >> $GITHUB_ENV
+          echo "COMMIT_END=$COMMIT_END" >> $GITHUB_ENV
+          echo "NCOMMITS=$NCOMMITS" >> $GITHUB_ENV
+
       - name: Run benchmarks
         run: |
           asv machine --machine "GitHubRunner"
-          asv run -m "GitHubRunner" -s ${{ github.event.inputs.ncommits }} \
-          ${{ github.event.inputs.commit_start }}..${{ github.event.inputs.commit_end }}
+          asv run -m "GitHubRunner" -s ${{ env.NCOMMITS }} \
+          ${{ env.COMMIT_START }}..${{ env.COMMIT_END }}
 
       - name: Upload results as artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -57,10 +124,12 @@ jobs:
           if-no-files-found: error
 
   publish-results:
-    if: github.repository_owner == 'pybamm-team'
+    if: github.repository == 'pybamm-team/PyBaMM'
     name: Push and publish results
     needs: benchmarks
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Set up Python 3.12
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
@@ -75,12 +144,13 @@ jobs:
         with:
           repository: pybamm-team/pybamm-bench
           token: ${{ secrets.BENCH_PAT }}
+          persist-credentials: false
 
       - name: Download results artifact(s)
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
+          name: asv_over_history_results
           path: results
-          merge-multiple: true
 
       - name: Copy new results and push to pybamm-bench repo
         env:
@@ -95,6 +165,5 @@ jobs:
 
       - name: Publish results
         run: |
-          asv publish
           git fetch origin gh-pages:gh-pages
           asv gh-pages