Improve the security of GitHub Action workflows#2952
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2952 +/- ##
=======================================
Coverage 95.62% 95.62%
=======================================
Files 266 266
Lines 15601 15601
=======================================
Hits 14918 14918
Misses 683 683 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| matrix: | ||
| python-version: ["3.12", "3.13", "3.14"] | ||
| architecture: ["x64"] # need to force Intel, arm64 builds have issues | ||
| architecture: ["x64"] # need to force Intel, arm64 builds have issues |
There was a problem hiding this comment.
@valeriupredoi I seem to remember we had issues with this in ESMValTool, should we use the "default" architecture instead?
There was a problem hiding this comment.
yes - did we not change to arm for all our OSX GHAs?
There was a problem hiding this comment.
(I mean, delete the arch: x64 line, not specifically request an arm arch) - proves we didn't - can you delete that here pls, bud?
|
good idea to secure our GHAs - but I reckon we ought to do that only for the GHAs that allow some two-way interaction between the runner and our repo ie those that open auto PRs; I am a bit scared of this tool though, have a look at the limitations listed in this article https://grafana.com/blog/how-to-detect-vulnerable-github-actions-at-scale-with-zizmor/ I honestly don't se any point fretting about the GHAs that don't allow any interaction with our repo, bud 🍻 |
Co-authored-by: bouweandela <bouweandela@users.noreply.github.com> Co-authored-by: Valeriu Predoi <valeriu.predoi@gmail.com>
|
Which limitations do you mean specifically? I don't see any that would affect us. I'm not terribly concerned about us getting hacked as we're such a small community, but I think it's nice to at least try to prevent it. |
this one:
Firstly, GitHub’s rate limiting of repository and application tokens causes some headaches when running the online checks that Zizmor can do. This is down to the fact that Zizmor uses the GitHub API to fetch the tags and branches for a given action. When this is done at scale, and on large projects, you quickly hit GitHub’s 15,000 calls per hour. It looks like the maintainer has already started thinking about this use case in this issue. |
|
Let's see about that when we get there. It says the issue has mostly been addressed and we're not anywhere close to the number of contributors that Grafana has.. |
|
Fine by me - let's deploy this and see how to goes 🍻 |
valeriupredoi
left a comment
valeriupredoi
left a comment
There was a problem hiding this comment.
sneaky - added some more hooks in pre-commit config - did you want to test my security level while reviewing? 😆 Thanks, bud - all fine for me!
| rev: "v2.4.1" | ||
| hooks: | ||
| - id: codespell | ||
| - repo: https://github.com/python-jsonschema/check-jsonschema |
There was a problem hiding this comment.
what's this do? Checks for baby shampoos? 😁
There was a problem hiding this comment.
It checks that the YAML files for GitHub Actions and CircleCI and the citation file follow the schema, i.e. don't have any keys that don't belong there or values of the wrong type.
It's what I meant with
in the description at the top. |
|
Thanks for reviewing 🍻 |
|
all good, bud, just making a bit of fun at your expense on a dark and gloomy Monday - did we want to move away from arch x64 for OSX too? Or, in a separate PR better |
|
No worries, yes, let's move away from the x64 OSX runner in a separate pr |
2 participants
Description
Adopt
zizmorto improve the security of our GitHub Action workflows and add some schema checks too.Checklist
It is the responsibility of the author to make sure the pull request is ready to review. The icons indicate whether the item will be subject to the 🛠 Technical or 🧪 Scientific review.
To help with the number pull requests: