Skip to content

Harden GitHub Actions workflow #1122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Harden GitHub Actions workflow #1122

wants to merge 9 commits into from
+27 −6

Conversation

seifertm
Copy link
Contributor

This PR introduces zizmor for linting GitHub Actions Workflows and addresses all of its findings.

Zizmor is used both as a pre-commit hook and a separate job in the pipeline. This is due to the fact that some analyses require a GitHub token, which not all developers may have readily available.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@codecov-commenter
Copy link

codecov-commenter commented May 15, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.40%. Comparing base (6c9914b) to head (3ad8609).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1122   +/-   ##
=======================================
  Coverage   89.40%   89.40%           
=======================================
  Files           2        2           
  Lines         434      434           
  Branches       51       51           
=======================================
  Hits          388      388           
  Misses         31       31           
  Partials       15       15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

webknjaz
webknjaz reviewed May 15, 2025
View reviewed changes
@seifertm seifertm force-pushed the harden-gh-actions-workflow branch from 2615ff6 to 60cd123 Compare May 16, 2025 04:49
@seifertm seifertm mentioned this pull request May 16, 2025
Closed
webknjaz
webknjaz reviewed May 27, 2025
View reviewed changes
@seifertm seifertm force-pushed the harden-gh-actions-workflow branch from 5cc6d17 to 60cd123 Compare June 20, 2025 07:35
@webknjaz
Copy link
Member

@seifertm looks like you marked my suggested change as resolved by mistake.

@seifertm
Copy link
Contributor Author

@seifertm looks like you marked my suggested change as resolved by mistake.

Indeed, thank you! I corrected that.

seifertm and others added 9 commits June 24, 2025 06:19
@seifertm
ci: Pin third-party actions to a commit hash.
9d5c5b8 
This detects changed action code for the same tag.
@seifertm
ci: Avoid persisting credentials in the checkout action.
6791c49 
see https://docs.zizmor.sh/audits/#artipacked
@seifertm
ci: Narrow permissions of Github Actions.
81a5273 
see https://docs.zizmor.sh/audits/#excessive-permissions
@seifertm
ci: Silence zizmore warning about not using trusted publishing.
4af8586 
This is already tracked in pytest-dev#700
@seifertm
ci: Avoid template expression in Bash script for assembling release n…
7583d22 
…otes.
@seifertm
build: Add zizmor to the pre-commit hooks.
6adaba4
@seifertm
ci: Add linting job with GitHub Actions with zizmor.
c60f3c7
@seifertm @webknjaz
ci: Update zizmor workflow.
d6e646d 
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
@seifertm
ci: Remove obsolete password from PyPI upload.
3ad8609
@seifertm seifertm force-pushed the harden-gh-actions-workflow branch from b240714 to 3ad8609 Compare June 24, 2025 04:19
@seifertm seifertm marked this pull request as ready for review June 24, 2025 04:23
@seifertm seifertm requested review from asvetlov and Tinche as code owners June 24, 2025 04:23
webknjaz
webknjaz reviewed Jun 24, 2025
View reviewed changes
.github/workflows/main.yml
Comment on lines +205 to 208
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 # zizmor: ignore[use-trusted-publishing] # see #700
with:
attestations: true
packages-dir: dist
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that the ignore was related to password that's no longer there? Also, all these inputs match defaults.

Suggested change
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 # zizmor: ignore[use-trusted-publishing] # see #700
with:
attestations: true
packages-dir: dist
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz left review comments

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

@Tinche Tinche Awaiting requested review from Tinche Tinche is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@seifertm @codecov-commenter @webknjaz