From 53f6d36217faad6d38af0738a576e9541ad475b3 Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 15:37:20 +0100 Subject: [PATCH 1/4] Don't persist credentials This is an insecure default on GitHub that increases the chances of credential leakage. --- .github/workflows/devcontainer-docker-image.yml | 2 ++ .github/workflows/docker-image.yml | 2 ++ .github/workflows/mypy.yml | 2 ++ .github/workflows/pr-auto-label.yml | 2 ++ .github/workflows/tests.yml | 11 +++++++++++ 5 files changed, 19 insertions(+) diff --git a/.github/workflows/devcontainer-docker-image.yml b/.github/workflows/devcontainer-docker-image.yml index 5ed355959..c9dc6bd93 100644 --- a/.github/workflows/devcontainer-docker-image.yml +++ b/.github/workflows/devcontainer-docker-image.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout source uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Setup Docker buildx uses: docker/setup-buildx-action@v3.7.1 diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index bbbbd27ae..5e66fe6f2 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - name: Login to Docker Hub uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index afa32a443..e6ea6826f 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/environment-test.yml diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml index 2dcb2dd3d..252687b77 100644 --- a/.github/workflows/pr-auto-label.yml +++ b/.github/workflows/pr-auto-label.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v2 + with: + persist-credentials: false - name: Sync labels with closing issues uses: wd60622/closing-labels@v0.0.3 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index be2444921..268656f68 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -34,6 +34,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 + persist-credentials: false - uses: dorny/paths-filter@v3 id: changes with: @@ -144,6 +145,8 @@ jobs: shell: bash -leo pipefail {0} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/environment-test.yml @@ -194,6 +197,8 @@ jobs: shell: cmd /C call {0} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/windows-environment-test.yml @@ -253,6 +258,8 @@ jobs: shell: bash -leo pipefail {0} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/environment-test.yml @@ -297,6 +304,8 @@ jobs: shell: bash -leo pipefail {0} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/environment-jax.yml @@ -341,6 +350,8 @@ jobs: shell: cmd /C call {0} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + persist-credentials: false - uses: mamba-org/setup-micromamba@v2 with: environment-file: conda-envs/windows-environment-test.yml From 4488d7d547d66bb377e29c00c9b455d6aaa67dca Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 18:05:45 +0100 Subject: [PATCH 2/4] Remove unnecessary checkout and permissions from pr-auto-label --- .github/workflows/pr-auto-label.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml index 252687b77..21adc8947 100644 --- a/.github/workflows/pr-auto-label.yml +++ b/.github/workflows/pr-auto-label.yml @@ -5,14 +5,9 @@ on: jobs: sync: permissions: - contents: read pull-requests: write runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v2 - with: - persist-credentials: false - name: Sync labels with closing issues uses: wd60622/closing-labels@v0.0.3 with: From adfd49c8c272ebac7847c84af71e1e575a34dc6f Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 18:59:18 +0100 Subject: [PATCH 3/4] Add exceptions for audited "dangerous triggers" --- .github/workflows/pr-auto-label.yml | 3 ++- .github/workflows/rtd-link-preview.yml | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-auto-label.yml b/.github/workflows/pr-auto-label.yml index 21adc8947..9879a8e55 100644 --- a/.github/workflows/pr-auto-label.yml +++ b/.github/workflows/pr-auto-label.yml @@ -1,6 +1,7 @@ name: "Pull Request Labeler" on: -- pull_request_target +# The labeler doesn't execute any contributed code, so it should be fairly safe. +- pull_request_target # zizmor: ignore[dangerous-triggers] jobs: sync: diff --git a/.github/workflows/rtd-link-preview.yml b/.github/workflows/rtd-link-preview.yml index 626b410c3..62ba59107 100644 --- a/.github/workflows/rtd-link-preview.yml +++ b/.github/workflows/rtd-link-preview.yml @@ -1,15 +1,15 @@ name: Read the Docs Pull Request Preview on: - pull_request_target: + # See + pull_request_target: # zizmor: ignore[dangerous-triggers] types: - opened -permissions: - pull-requests: write - jobs: documentation-links: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: readthedocs/actions/preview@v1 with: From c418f782b4d22e6663bf63d17f5bb57ddabd26fd Mon Sep 17 00:00:00 2001 From: Ben Mares Date: Sun, 22 Dec 2024 19:11:18 +0100 Subject: [PATCH 4/4] Create zizmor workflow --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..b747897eb --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# https://github.com/woodruffw/zizmor +name: zizmor GHA analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: hynek/setup-cached-uv@v2 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor