Skip to content

fix(ci): resolve all zizmor findings and add zizmor pre-commit checks #1181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gforsyth wants to merge 10 commits into
base: main
Choose a base branch
from
Open

fix(ci): resolve all zizmor findings and add zizmor pre-commit checks #1181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
391bbcc
feat: add zizmor config and pre-commit
gforsyth May 4, 2026
3025430
fix: allow inheriting secrets for shared-workflows
gforsyth May 4, 2026
abab515
fix(ci): grant explicit permissions per job
gforsyth May 4, 2026
3083ca4
fix(ci): suppress dangerous-triggers warning
gforsyth May 4, 2026
ba95d58
fix: pin all third-party actions
gforsyth May 4, 2026
a86b499
fix: resolve template injection risks
gforsyth May 4, 2026
d30b11e
fix: don't persist credentials unless needed
gforsyth May 4, 2026
e050a93
fix: pin all third-party actions to patch version
gforsyth May 5, 2026
8914029
refactor: make secrets explicit where possible, pare back permissions
gforsyth May 5, 2026
173a5cf
Merge branch 'main' into securitize
gforsyth May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
144 changes: 127 additions & 17 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,17 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
cpp-build:
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -54,7 +62,13 @@ jobs:
script: ci/build_cpp.sh
python-build:
needs: [cpp-build]
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/conda-python-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -64,15 +78,29 @@ jobs:
script: ci/build_python.sh
upload-conda:
needs: [cpp-build, python-build]
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/conda-upload-packages.yaml@main
secrets:
CONDA_RAPIDSAI_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_NIGHTLY_TOKEN }}
CONDA_RAPIDSAI_TOKEN: ${{ secrets.CONDA_RAPIDSAI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
date: ${{ inputs.date }}
sha: ${{ inputs.sha }}
wheel-build-cuopt-mps-parser:
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -87,8 +115,16 @@ jobs:
matrix_filter: 'group_by([.ARCH, (.PY_VER |split(".") | map(tonumber))])|map(max_by([(.CUDA_VER|split(".")|map(tonumber))]))'
wheel-publish-cuopt-mps-parser:
needs: wheel-build-cuopt-mps-parser
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main
secrets:
CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }}
RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
Expand All @@ -98,7 +134,13 @@ jobs:
package-type: python
wheel-build-libcuopt:
needs: wheel-build-cuopt-mps-parser
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -111,8 +153,16 @@ jobs:
matrix_filter: group_by([.ARCH, (.CUDA_VER|split(".")|map(tonumber)|.[0])]) | map(max_by(.PY_VER|split(".")|map(tonumber)))
wheel-publish-libcuopt:
needs: wheel-build-libcuopt
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main
secrets:
CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }}
RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
Expand All @@ -122,7 +172,13 @@ jobs:
package-type: cpp
wheel-build-cuopt:
needs: [wheel-build-cuopt-mps-parser, wheel-build-libcuopt]
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -134,8 +190,16 @@ jobs:
package-type: python
wheel-publish-cuopt:
needs: wheel-build-cuopt
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main
secrets:
CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }}
RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
Expand All @@ -144,7 +208,13 @@ jobs:
package-name: cuopt
package-type: python
wheel-build-cuopt-server:
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -159,8 +229,16 @@ jobs:
matrix_filter: map(select(.ARCH == "amd64")) | group_by(.CUDA_VER|split(".")|map(tonumber)|.[0]) | map(max_by([(.PY_VER|split(".")|map(tonumber)), (.CUDA_VER|split(".")|map(tonumber))]))
wheel-publish-cuopt-server:
needs: wheel-build-cuopt-server
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main
secrets:
CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }}
RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
Expand All @@ -170,7 +248,13 @@ jobs:
package-type: python
docs-build:
needs: [python-build]
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -184,7 +268,13 @@ jobs:
container_image: "rapidsai/ci-conda:26.06-latest"
script: "ci/build_docs.sh"
wheel-build-cuopt-sh-client:
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
secrets: inherit # zizmor: ignore[secrets-inherit]
uses: rapidsai/shared-workflows/.github/workflows/wheels-build.yaml@main
with:
build_type: ${{ inputs.build_type || 'branch' }}
Expand All @@ -200,8 +290,16 @@ jobs:
matrix_filter: '[map(select(.ARCH == "amd64")) | min_by((.PY_VER | split(".") | map(tonumber)), (.CUDA_VER | split(".") | map(-tonumber)))]'
wheel-publish-cuopt-sh-client:
needs: wheel-build-cuopt-sh-client
secrets: inherit
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@main
secrets:
CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN: ${{ secrets.CONDA_RAPIDSAI_WHEELS_NIGHTLY_TOKEN }}
RAPIDSAI_PYPI_TOKEN: ${{ secrets.RAPIDSAI_PYPI_TOKEN }}
with:
build_type: ${{ inputs.build_type || 'branch' }}
branch: ${{ inputs.branch }}
Expand All @@ -220,6 +318,9 @@ jobs:
- wheel-publish-cuopt-sh-client
- wheel-publish-libcuopt
if: inputs.trigger-tests
permissions:
actions: write
contents: read
runs-on: ubuntu-latest
# ref: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable
env:
Expand All @@ -235,7 +336,7 @@ jobs:
# to pull the actual cuOpt source code from
gh workflow run \
--repo NVIDIA/cuopt \
--ref "${{ github.ref }}" \
--ref "$GITHUB_REF" \
'test.yaml' \
-f branch="${INPUT_BRANCH}" \
-f build_type="${INPUT_BUILD_TYPE}" \
Expand All @@ -248,13 +349,16 @@ jobs:
- tests
- build-images
- docs-build
permissions:
contents: read
runs-on: linux-amd64-cpu4
container:
image: python:3.14-slim
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.sha }}
persist-credentials: false
- name: Install dependencies
run: apt-get update && apt-get install -y --no-install-recommends curl
- name: Send build summary
Expand All @@ -273,8 +377,14 @@ jobs:
- wheel-publish-cuopt
- wheel-publish-cuopt-server
- wheel-publish-cuopt-sh-client
permissions:
actions: read
contents: read
id-token: write
packages: read
pull-requests: read
uses: ./.github/workflows/build_test_publish_images.yaml
secrets: inherit
secrets: inherit # zizmor: ignore[secrets-inherit]
with:
branch: ${{ inputs.branch }}
sha: ${{ inputs.sha }}
Expand Down
27 changes: 18 additions & 9 deletions .github/workflows/build_images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,13 @@ jobs:
runs-on: "linux-${{ matrix.ARCH }}-cpu4"
steps:
- name: Checkout code repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
ref: ${{ inputs.sha }}
persist-credentials: false
- name: Login to DockerHub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.CUOPT_DOCKERHUB_USERNAME }}
password: ${{ secrets.CUOPT_DOCKERHUB_TOKEN }}
Expand All @@ -61,7 +62,7 @@ jobs:
git rev-parse HEAD > ./ci/docker/context/COMMIT_SHA
git log -n1 --pretty='%ct' > ./ci/docker/context/COMMIT_TIME
- name: Login to NGC
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: "nvcr.io"
username: "$oauthtoken"
Expand All @@ -71,17 +72,20 @@ jobs:
run: |
docker context create builders
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
with:
driver: docker
endpoint: ./ci/docker/context
- name: Trim CUDA and Python versions
id: trim
env:
CUDA_VER: ${{ inputs.CUDA_VER }}
PYTHON_VER: ${{ inputs.PYTHON_VER }}
run: |
echo "CUDA_SHORT=$(echo '${{ inputs.CUDA_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT
echo "PYTHON_SHORT=$(echo '${{ inputs.PYTHON_VER }}' | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT
echo "CUDA_SHORT=$(echo "$CUDA_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT
echo "PYTHON_SHORT=$(echo "$PYTHON_VER" | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_OUTPUT
- name: Build image and push to DockerHub and NGC
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ./ci/docker/context
file: ./ci/docker/Dockerfile
Expand All @@ -99,6 +103,11 @@ jobs:
tags: nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }}

- name: Push image to NGC
env:
IMAGE_TAG_PREFIX: ${{ inputs.IMAGE_TAG_PREFIX }}
ARCH: ${{ matrix.ARCH }}
CUDA_SHORT: ${{ steps.trim.outputs.CUDA_SHORT }}
PYTHON_SHORT: ${{ steps.trim.outputs.PYTHON_SHORT }}
run: |
docker tag nvidia/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }} nvcr.io/nvstaging/nvaie/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }}
docker push nvcr.io/nvstaging/nvaie/cuopt:${{ inputs.IMAGE_TAG_PREFIX }}-cuda${{ steps.trim.outputs.CUDA_SHORT }}-py${{ steps.trim.outputs.PYTHON_SHORT }}-${{ matrix.ARCH }}
docker tag "nvidia/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}" "nvcr.io/nvstaging/nvaie/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}"
docker push "nvcr.io/nvstaging/nvaie/cuopt:${IMAGE_TAG_PREFIX}-cuda${CUDA_SHORT}-py${PYTHON_SHORT}-${ARCH}"
Loading
Loading