From 2faa7b4e8f50540439c5cc0f794583c8e57a1e98 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Mon, 18 May 2026 10:05:59 -0700 Subject: [PATCH 1/8] Fix security-related issues in github actions flagged by zizmor Signed-off-by: pdmurray --- .github/dependabot.yml | 2 + .github/workflows/build_wheels.yml | 91 ++++++++++++++++++----------- .github/workflows/coverage.yml | 10 ++-- .github/workflows/docs.yml | 10 +++- .github/workflows/lint_and_docs.yml | 10 +++- .github/workflows/news-check.yml | 5 +- .github/workflows/sanity-check.yml | 7 ++- zizmor.yml | 6 ++ 8 files changed, 95 insertions(+), 46 deletions(-) create mode 100644 zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 12301490..5e4251f2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,5 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 7 diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 8d7dc757..4499be71 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -1,5 +1,7 @@ name: Wheels +permissions: {} + on: push: pull_request: @@ -19,12 +21,14 @@ jobs: name: Build source distribution runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Build sdist run: pipx run build --sdist - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: sdist path: dist/*.tar.gz @@ -59,19 +63,19 @@ jobs: - name: Disable ptrace security restrictions run: | echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: sdist - name: Extract sdist run: | tar zxvf *.tar.gz --strip-components=1 - name: Build wheels - uses: pypa/cibuildwheel@v3.4.1 + uses: pypa/cibuildwheel@8d2b08b68458a16aeb24b64e68a09ab1c8e82084 # v3.4.1 env: CIBW_BUILD: "cp3{9..14}{t,}-${{ matrix.wheel_type }}" CIBW_ARCHS_LINUX: auto CIBW_ENABLE: cpython-prerelease cpython-freethreading - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ${{ matrix.wheel_type }}-wheels path: ./wheelhouse/*.whl @@ -84,13 +88,15 @@ jobs: matrix: python_version: ["2.7", "3.7"] steps: - - uses: actions/checkout@v6 - - uses: actions/download-artifact@v8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '>=3.13' - name: Set up dependencies @@ -124,17 +130,20 @@ jobs: matrix: python_version: ["3.13"] steps: - - uses: actions/checkout@v6 - - uses: actions/download-artifact@v8 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version: latest python-version: ${{ matrix.python_version }} activate-environment: true + enable-cache: false - name: Set up dependencies run: | sudo apt-get update @@ -159,12 +168,14 @@ jobs: matrix: python_version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.13t", "3.14", "3.14t"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "${{matrix.python_version}}-dev" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist @@ -194,12 +205,14 @@ jobs: matrix: python_version: ["3.9", "3.13", "3.14"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "${{matrix.python_version}}-dev" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_aarch64-wheels" path: dist @@ -232,12 +245,14 @@ jobs: matrix: python_version: ["3.13", "3.14"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "${{matrix.python_version}}-dev" - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist @@ -274,15 +289,17 @@ jobs: fail-fast: false container: - image: alpine + image: alpine@4d889c14e7d5 options: --cap-add=SYS_PTRACE steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up dependencies run: | apk add --update alpine-sdk bash alpine-sdk python3 python3-dev gdb musl-dbg python3-dbg - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "musllinux_x86_64-wheels" path: dist @@ -304,11 +321,13 @@ jobs: fail-fast: false container: - image: fedora + image: fedora@f717d3f59ea0 options: --cap-add=SYS_PTRACE steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up dependencies run: | dnf install -y \ @@ -319,7 +338,7 @@ jobs: python3-devel dnf debuginfo-install -y \ python3 - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist @@ -340,10 +359,12 @@ jobs: fail-fast: false container: - image: archlinux + image: archlinux@32c78c548c1a options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up dependencies run: | pacman -Syu --noconfirm \ @@ -356,7 +377,7 @@ jobs: python-wheel \ elfutils \ debuginfod - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist @@ -379,11 +400,13 @@ jobs: fail-fast: false container: - image: debian + image: debian@de6a8f94c0e8 options: --cap-add=SYS_PTRACE steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up dependencies run: | apt-get update @@ -394,7 +417,7 @@ jobs: python3-pip \ python3-venv \ python3-dbg - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: "manylinux_x86_64-wheels" path: dist @@ -416,7 +439,7 @@ jobs: permissions: id-token: write # Required to retrieve a Trusted Publishing token steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: # with no name set, it downloads all of the artifacts path: dist @@ -425,6 +448,6 @@ jobs: mv dist/*-wheels/*.whl dist/ rmdir dist/{sdist,*-wheels} ls -R dist - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: skip_existing: true diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 91edb19a..b253aaf3 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -27,9 +27,11 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.10" - name: Set up dependencies @@ -67,13 +69,13 @@ jobs: lcov --capture --directory build --output-file cppcoverage.lcov lcov --extract cppcoverage.lcov '*/src/pystack/_pystack/*' --output-file cppcoverage.lcov - name: Upload Python report to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: pycoverage.lcov flags: python - name: Upload C++ report to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: cppcoverage.lcov diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9e86acec..f89a480b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,7 @@ name: Publish docs +permissions: {} + on: push: branches: @@ -13,9 +15,11 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.10" - name: Set up dependencies @@ -32,7 +36,7 @@ jobs: run: | make docs - name: Publish docs to GitHub Pages - uses: JamesIves/github-pages-deploy-action@v4 + uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4 with: folder: docs/_build/html single-commit: true diff --git a/.github/workflows/lint_and_docs.yml b/.github/workflows/lint_and_docs.yml index 483fc028..bd9d4e24 100644 --- a/.github/workflows/lint_and_docs.yml +++ b/.github/workflows/lint_and_docs.yml @@ -1,13 +1,17 @@ name: Lint and docs +permissions: {} + on: [push, pull_request] jobs: lint_and_docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.10" - name: Set up dependencies @@ -24,6 +28,8 @@ jobs: run: | make lint PYTHON=python3 python3 -m pre_commit run --all-files --hook-stage pre-push + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 - name: Build docs run: | towncrier build --version 99.99 --name pystack --keep diff --git a/.github/workflows/news-check.yml b/.github/workflows/news-check.yml index 804f8858..9df1a379 100644 --- a/.github/workflows/news-check.yml +++ b/.github/workflows/news-check.yml @@ -1,4 +1,7 @@ name: News entry check + +permissions: {} + on: pull_request: paths: @@ -16,7 +19,7 @@ jobs: name: Check for news entry steps: - name: "Check for news entry" - uses: brettcannon/check-for-changed-files@v1 + uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1 with: file-pattern: | news/*.rst diff --git a/.github/workflows/sanity-check.yml b/.github/workflows/sanity-check.yml index c8cc276c..31965c6c 100644 --- a/.github/workflows/sanity-check.yml +++ b/.github/workflows/sanity-check.yml @@ -1,4 +1,7 @@ name: Sanity check + +permissions: {} + on: pull_request: types: @@ -15,10 +18,10 @@ jobs: steps: - name: Get PR Commits id: "get-pr-commits" - uses: tim-actions/get-pr-commits@master + uses: tim-actions/get-pr-commits@198af03565609bb4ed924d1260247b4881f09e7d # master with: token: ${{ secrets.GITHUB_TOKEN }} - name: DCO Check - uses: tim-actions/dco@master + uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # master with: commits: ${{ steps.get-pr-commits.outputs.commits }} diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..d2e587c1 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,6 @@ +rules: + secrets-outside-env: + ignore: + # Only exposes the codecov token; low risk + - coverage.yml:74 + - coverage.yml:80 From b31d1bc7a57c66ce91c7aa2e8ad0cceb74abd2c7 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Mon, 18 May 2026 22:58:32 -0700 Subject: [PATCH 2/8] Fix the container tags Signed-off-by: pdmurray --- .github/workflows/build_wheels.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 4499be71..e989faf2 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -289,7 +289,7 @@ jobs: fail-fast: false container: - image: alpine@4d889c14e7d5 + image: alpine:3.22.4 options: --cap-add=SYS_PTRACE steps: @@ -321,7 +321,7 @@ jobs: fail-fast: false container: - image: fedora@f717d3f59ea0 + image: fedora:45 options: --cap-add=SYS_PTRACE steps: @@ -359,7 +359,7 @@ jobs: fail-fast: false container: - image: archlinux@32c78c548c1a + image: archlinux:base-devel-20260517.0.530531 options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -400,7 +400,7 @@ jobs: fail-fast: false container: - image: debian@de6a8f94c0e8 + image: debian:stable options: --cap-add=SYS_PTRACE steps: From f73adac8d5efa85e8866c5324573bc2554e77e52 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Mon, 18 May 2026 23:01:52 -0700 Subject: [PATCH 3/8] Add a dependabot config for docker Signed-off-by: pdmurray --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5e4251f2..9830d5dc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,10 @@ updates: interval: "daily" cooldown: default-days: 7 + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 From 64644820a5282e480b662a797c738f1031d835e3 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Tue, 19 May 2026 08:48:02 -0700 Subject: [PATCH 4/8] Add LABEL to dockerfile to provide image metadata for downstream Signed-off-by: pdmurray --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index aa7a050f..646440ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,6 +37,7 @@ RUN apt-get update \ # Stage 2: Final stage FROM ubuntu:22.04 ARG DEBIAN_FRONTEND=noninteractive +LABEL org.opencontainers.image.source="https://github.com/bloomberg/pystack" # Install runtime dependencies RUN apt-get update \ From d2f0d5353ab97955bef9139ec9daab0890b9df85 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Tue, 19 May 2026 11:04:43 -0700 Subject: [PATCH 5/8] Codecov updated v6 label... Signed-off-by: pdmurray --- .github/workflows/coverage.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index b253aaf3..4b6e3e54 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -69,13 +69,13 @@ jobs: lcov --capture --directory build --output-file cppcoverage.lcov lcov --extract cppcoverage.lcov '*/src/pystack/_pystack/*' --output-file cppcoverage.lcov - name: Upload Python report to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 + uses: codecov/codecov-action with: token: ${{ secrets.CODECOV_TOKEN }} files: pycoverage.lcov flags: python - name: Upload C++ report to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 + uses: codecov/codecov-action with: token: ${{ secrets.CODECOV_TOKEN }} files: cppcoverage.lcov From 4e5a6618c0927555875acc2332b65562ab344854 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Tue, 19 May 2026 11:07:22 -0700 Subject: [PATCH 6/8] Ack, need to pin codecov action Signed-off-by: pdmurray --- .github/workflows/coverage.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 4b6e3e54..dbc386c3 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -69,13 +69,13 @@ jobs: lcov --capture --directory build --output-file cppcoverage.lcov lcov --extract cppcoverage.lcov '*/src/pystack/_pystack/*' --output-file cppcoverage.lcov - name: Upload Python report to Codecov - uses: codecov/codecov-action + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: pycoverage.lcov flags: python - name: Upload C++ report to Codecov - uses: codecov/codecov-action + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: cppcoverage.lcov From d4a010bec4688bb23fd412c7e35ff38b9dedf3e5 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Tue, 19 May 2026 11:17:15 -0700 Subject: [PATCH 7/8] Unpin the container images used for wheel builds Signed-off-by: pdmurray --- .github/workflows/build_wheels.yml | 8 ++++---- zizmor.yml | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index e989faf2..22baf90b 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -289,7 +289,7 @@ jobs: fail-fast: false container: - image: alpine:3.22.4 + image: alpine options: --cap-add=SYS_PTRACE steps: @@ -321,7 +321,7 @@ jobs: fail-fast: false container: - image: fedora:45 + image: fedora options: --cap-add=SYS_PTRACE steps: @@ -359,7 +359,7 @@ jobs: fail-fast: false container: - image: archlinux:base-devel-20260517.0.530531 + image: archlinux options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 @@ -400,7 +400,7 @@ jobs: fail-fast: false container: - image: debian:stable + image: debian options: --cap-add=SYS_PTRACE steps: diff --git a/zizmor.yml b/zizmor.yml index d2e587c1..62b1813e 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -4,3 +4,8 @@ rules: # Only exposes the codecov token; low risk - coverage.yml:74 - coverage.yml:80 + unpinned-images: + - build_wheels.yml:292 + - build_wheels.yml:324 + - build_wheels.yml:362 + - build_wheels.yml:403 From cd6024badcf84e40a86af98e6880d839d69fb830 Mon Sep 17 00:00:00 2001 From: pdmurray Date: Tue, 19 May 2026 12:17:21 -0700 Subject: [PATCH 8/8] Add signoff... Signed-off-by: pdmurray --- zizmor.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/zizmor.yml b/zizmor.yml index 62b1813e..76edd4ad 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -5,6 +5,7 @@ rules: - coverage.yml:74 - coverage.yml:80 unpinned-images: + ignore: - build_wheels.yml:292 - build_wheels.yml:324 - build_wheels.yml:362