Skip to content

Commit 7a01033

Browse files
blyxyasblyxyas
authored
Make CI a little bit safer (rust-lang#13933)
This PR fixes two vulnerabilities in our CI, found with [zizmor](https://github.com/woodruffw/zizmor). One could be exploited by someone with tag-pushing permissions to execute arbitrary code in our CI (see`deploy.yml`). The second vulnerability would expose our tokens to a supply chain attack via a `build.rs` in one of the dependencies (See the rest of the files, and actions/checkout#485) Pre-reviewed by @flip1995 in our DMs. changelog:none
2 parents 631d9a2 + 7ac1515 commit 7a01033

File tree

6 files changed

+36
-1
lines changed

6 files changed

+36
-1
lines changed

.github/workflows/clippy_dev.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ jobs:
1717
# Setup
1818
- name: Checkout
1919
uses: actions/checkout@v4
20+
with:
21+
# Unsetting this would make so that any malicious package could get our Github Token
22+
persist-credentials: false
2023

2124
# Run
2225
- name: Build

.github/workflows/clippy_mq.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ jobs:
2323
uses: actions/checkout@v4
2424
with:
2525
ref: ${{ github.ref }}
26+
# Unsetting this would make so that any malicious package could get our Github Token
27+
persist-credentials: false
2628

2729
# Run
2830
- name: Check Changelog
@@ -63,6 +65,8 @@ jobs:
6365
# Setup
6466
- name: Checkout
6567
uses: actions/checkout@v4
68+
with:
69+
persist-credentials: false
6670

6771
- name: Install i686 dependencies
6872
if: matrix.host == 'i686-unknown-linux-gnu'
@@ -121,6 +125,8 @@ jobs:
121125
# Setup
122126
- name: Checkout
123127
uses: actions/checkout@v4
128+
with:
129+
persist-credentials: false
124130

125131
- name: Install toolchain
126132
run: rustup show active-toolchain
@@ -136,6 +142,8 @@ jobs:
136142
# Setup
137143
- name: Checkout
138144
uses: actions/checkout@v4
145+
with:
146+
persist-credentials: false
139147

140148
- name: Install toolchain
141149
run: rustup show active-toolchain
@@ -188,6 +196,8 @@ jobs:
188196
# Setup
189197
- name: Checkout
190198
uses: actions/checkout@v4
199+
with:
200+
persist-credentials: false
191201

192202
- name: Install toolchain
193203
run: rustup show active-toolchain

.github/workflows/clippy_pr.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ jobs:
2525
# Setup
2626
- name: Checkout
2727
uses: actions/checkout@v4
28+
with:
29+
# Unsetting this would make so that any malicious package could get our Github Token
30+
persist-credentials: false
2831

2932
- name: Install toolchain
3033
run: rustup show active-toolchain

.github/workflows/deploy.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,19 +22,27 @@ jobs:
2222
# Setup
2323
- name: Checkout
2424
uses: actions/checkout@v4
25+
with:
26+
# Unsetting this would make so that any malicious package could get our Github Token
27+
persist-credentials: false
2528

2629
- name: Checkout
2730
uses: actions/checkout@v4
2831
with:
2932
ref: ${{ env.TARGET_BRANCH }}
3033
path: 'out'
34+
# Unsetting this would make so that any malicious package could get our Github Token
35+
persist-credentials: false
3136

3237
# Run
3338
- name: Set tag name
3439
if: startswith(github.ref, 'refs/tags/')
3540
run: |
36-
TAG=$(basename ${{ github.ref }})
41+
TAG=$(basename "${TAGNAME}")
3742
echo "TAG_NAME=$TAG" >> $GITHUB_ENV
43+
env:
44+
# Make sure that the reference gets expanded before injecting it
45+
TAGNAME: ${{ github.ref }}
3846
- name: Set beta to true
3947
if: github.ref == 'refs/heads/beta'
4048
run: echo "BETA=true" >> $GITHUB_ENV

.github/workflows/lintcheck.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@ jobs:
2121
uses: actions/checkout@v4
2222
with:
2323
fetch-depth: 2
24+
# Unsetting this would make so that any malicious package could get our Github Token
25+
persist-credentials: false
2426

2527
# HEAD is the generated merge commit `refs/pull/N/merge` between the PR and `master`, `HEAD^`
2628
# being the commit from `master` that is the base of the merge
@@ -73,6 +75,9 @@ jobs:
7375
steps:
7476
- name: Checkout
7577
uses: actions/checkout@v4
78+
with:
79+
# Unsetting this would make so that any malicious package could get our Github Token
80+
persist-credentials: false
7681

7782
- name: Cache lintcheck bin
7883
id: cache-lintcheck-bin
@@ -103,6 +108,9 @@ jobs:
103108
steps:
104109
- name: Checkout
105110
uses: actions/checkout@v4
111+
with:
112+
# Unsetting this would make so that any malicious package could get our Github Token
113+
persist-credentials: false
106114

107115
- name: Restore lintcheck bin
108116
uses: actions/cache/restore@v4

.github/workflows/remark.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ jobs:
1212
# Setup
1313
- name: Checkout
1414
uses: actions/checkout@v4
15+
with:
16+
# Unsetting this would make so that any malicious package could get our Github Token
17+
persist-credentials: false
1518

1619
- name: Setup Node.js
1720
uses: actions/setup-node@v4

0 commit comments

Comments
 (0)