From 3f94c8b50e9ace8b06f6236612b4ed615b8a85c1 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 6 Jan 2025 14:58:23 -0500 Subject: [PATCH] ci: cleanup, fix zizmor findings Signed-off-by: William Woodruff --- .github/workflows/ci.yml | 4 +++ .github/workflows/release.yml | 2 ++ .github/workflows/selftest.yml | 51 ++++++++++++++++++++++++++++++++-- .github/workflows/semgrep.yml | 11 +++++--- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++ 5 files changed, 98 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7fe68e7..91e5f8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: actions/setup-python@v5 with: python-version: "3.x" + - name: lint run: make lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eeed331..cff0909 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: sign uses: ./ diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index dc9b3f9..d70c5cf 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -8,11 +8,12 @@ on: workflow_dispatch: workflow_call: -permissions: - id-token: write +permissions: {} jobs: selftest: + permissions: + id-token: write strategy: matrix: os: @@ -25,6 +26,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: @@ -41,6 +44,8 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-runner-python: + permissions: + id-token: write strategy: matrix: os: @@ -51,6 +56,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -63,6 +70,8 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-whitespace: + permissions: + id-token: write strategy: matrix: os: @@ -73,6 +82,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 if: ${{ matrix.os != 'ubuntu-latest' }} with: @@ -94,6 +105,8 @@ jobs: [[ -f ./test/more\ white\ space.txt ]] || exit 1 selftest-xfail-invalid-inputs: + permissions: + id-token: write runs-on: ubuntu-latest strategy: matrix: @@ -105,6 +118,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -122,10 +137,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-staging: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -138,10 +157,14 @@ jobs: [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -156,12 +179,16 @@ jobs: [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: + permissions: + id-token: write runs-on: ubuntu-latest env: TEST_DIR: test if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures continue-on-error: true uses: ./ @@ -182,10 +209,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-glob-multiple: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifacts and publish signatures uses: ./ id: sigstore-python @@ -205,10 +236,14 @@ jobs: [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -228,10 +263,14 @@ jobs: working-directory: ./test/uploaded selftest-verify: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature uses: ./ id: sigstore-python @@ -244,6 +283,8 @@ jobs: internal-be-careful-debug: true selftest-xfail-verify-missing-options: + permissions: + id-token: write runs-on: ubuntu-latest strategy: matrix: @@ -268,6 +309,8 @@ jobs: if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Sign artifact and publish signature continue-on-error: true uses: ./ @@ -290,10 +333,14 @@ jobs: [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; } selftest-identity-token: + permissions: + id-token: write runs-on: ubuntu-latest if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get OIDC token id: get-oidc-token run: | diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1df680c..1353e78 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,11 +12,14 @@ name: Semgrep jobs: semgrep: name: Scan - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: returntocorp/semgrep + image: semgrep/semgrep + steps: - - uses: actions/checkout@v4 - - run: semgrep ci + - uses: actions/checkout@v4 + with: + persist-credentials: false + - run: semgrep ci diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6830f8b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor