Skip to content

Add zizmor security linter to pre-commit#7006

Merged
tkoyama010 merged 14 commits into
mainfrom
maint/zizmor
Jan 30, 2025
Merged

Add zizmor security linter to pre-commit#7006
tkoyama010 merged 14 commits into
mainfrom
maint/zizmor

Conversation

@tkoyama010

@tkoyama010 tkoyama010 commented Dec 19, 2024
edited
Loading

Copy link
Copy Markdown
Member

Overview

Recently, there was an attack on the Ultralytics package. For more information, please see Supply-chain attack analysis: Ultralytics. In this article, it is suggested that checking actions with zizmor. Let's consider using zizmor checks in pre-commit.

Details

  • None

@tkoyama010 tkoyama010 marked this pull request as draft December 19, 2024 17:51
@pyvista-bot pyvista-bot added maintenance Low-impact maintenance activity dependencies Pull requests that update a dependency file labels Dec 19, 2024
@codecov

codecov Bot commented Dec 19, 2024
edited
Loading

Copy link
Copy Markdown

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.77%. Comparing base (fbc9bdf) to head (8eb384c).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #7006   +/-   ##
=======================================
  Coverage   94.77%   94.77%           
=======================================
  Files         145      145           
  Lines       29047    29047           
  Branches     3931     3931           
=======================================
  Hits        27529    27529           
  Misses        714      714           
  Partials      804      804

@pyvista-bot

pyvista-bot commented Dec 19, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

🚀 Deployed on https://679b226185b6442cb00fdfdb--pyvista-dev.netlify.app

@pyvista-bot pyvista-bot temporarily deployed to pull request December 19, 2024 21:12 Inactive
This was referenced Dec 25, 2024
Merged
Merged
@tkoyama010 tkoyama010 marked this pull request as ready for review January 4, 2025 16:56
@pyvista-bot pyvista-bot temporarily deployed to pull request January 4, 2025 19:28 Inactive
@tkoyama010 tkoyama010 enabled auto-merge (squash) January 5, 2025 00:22
tkoyama010
tkoyama010 commented Jan 7, 2025
View reviewed changes
Comment thread .github/workflows/label.yml
name: "Pull Request Labeler"
on:
pull_request_target:
pull_request:

@tkoyama010 tkoyama010 Jan 7, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to manually add labels to pull requests from external repositories. However, this should be acceptable for safety reasons.

@user27182 user27182 Jan 7, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this tool work for enforcing policies? E.g. does it error if there are critical flaws, and only warn if mid-risk flaws are found?

e.g. if this change is reverted, will pre-commit fail?

@tkoyama010 tkoyama010 Jan 8, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this change is reverted, the check will fail. Currently, errors occur at all stages of risk assessment. If needed, the configuration can be reviewed for potential adjustments.

@pyvista-bot pyvista-bot temporarily deployed to pull request January 7, 2025 17:16 Inactive
user27182
user27182 reviewed Jan 7, 2025
View reviewed changes

@user27182 user27182 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for security, that ultralytics case sounds like a nightmare which we want to avoid.

Comment thread .pre-commit-config.yaml
Comment thread .github/workflows/label.yml
name: "Pull Request Labeler"
on:
pull_request_target:
pull_request:

@user27182 user27182 Jan 7, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this tool work for enforcing policies? E.g. does it error if there are critical flaws, and only warn if mid-risk flaws are found?

e.g. if this change is reverted, will pre-commit fail?

tkoyama010 and others added 2 commits January 9, 2025 07:28
@tkoyama010 @user27182
Update .pre-commit-config.yaml
a5f2d53 
Co-authored-by: user27182 <89109579+user27182@users.noreply.github.com>
@tkoyama010
Merge branch 'main' into maint/zizmor
784b2fe
user27182
user27182 previously approved these changes Jan 8, 2025
View reviewed changes
@user27182

user27182 commented Jan 8, 2025

Copy link
Copy Markdown
Contributor

I guess there are new errors after updating to v1.0.0 but in principal this LGTM otherwise

@pyvista-bot pyvista-bot temporarily deployed to pull request January 9, 2025 00:24 Inactive
banesullivan
banesullivan previously approved these changes Jan 9, 2025
View reviewed changes

@banesullivan banesullivan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding zizmor!

@pyvista-bot pyvista-bot temporarily deployed to pull request January 9, 2025 05:25 Inactive
@pyvista-bot pyvista-bot temporarily deployed to pull request January 9, 2025 23:12 Inactive
@tkoyama010 tkoyama010 disabled auto-merge January 10, 2025 03:26
@pyvista-bot pyvista-bot temporarily deployed to pull request January 10, 2025 04:42 Inactive
@user27182

user27182 commented Jan 10, 2025

Copy link
Copy Markdown
Contributor

For the new cache-poisoning errors, I think ignoring the errors for any testing workflows is mostly ok. The main remediation seems to be to remove any caching from workflows that publish build artifacts, which I would think only applies to actions that check if startsWith(github.ref, 'refs/tags/v'). So maybe we just need to double check the caching logic to make sure that nothing is cached for releases, and ignore everything else.

user27182
user27182 reviewed Jan 16, 2025
View reviewed changes
Comment thread .pre-commit-config.yaml Outdated
@tkoyama010 @user27182
Apply suggestions from code review
d13c98e 
Co-authored-by: user27182 <89109579+user27182@users.noreply.github.com>
@tkoyama010 tkoyama010 dismissed stale reviews from banesullivan and user27182 via d13c98e January 30, 2025 03:53
@tkoyama010 tkoyama010 enabled auto-merge (squash) January 30, 2025 03:56
@tkoyama010 tkoyama010 merged commit f1eaf17 into main Jan 30, 2025
@tkoyama010 tkoyama010 deleted the maint/zizmor branch January 30, 2025 06:52
@pyvista-bot pyvista-bot temporarily deployed to pull request January 30, 2025 06:57 Inactive
@user27182 user27182 mentioned this pull request Feb 8, 2025
Merged
@banesullivan banesullivan mentioned this pull request Apr 17, 2025
Merged
6 tasks
@user27182 user27182 mentioned this pull request Jun 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banesullivan banesullivan banesullivan approved these changes

@user27182 user27182 user27182 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file maintenance Low-impact maintenance activity

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tkoyama010 @pyvista-bot @user27182 @banesullivan