Automate GitHub workflow security audits with zizmor#2975
Automate GitHub workflow security audits with zizmor#2975namurphy merged 41 commits intoPlasmaPy:mainfrom
zizmor#2975Conversation
github-actions
bot
added
CI
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2975 +/- ##
==========================================
+ Coverage 94.61% 95.40% +0.78%
==========================================
Files 107 107
Lines 9664 9664
Branches 1464 1464
==========================================
+ Hits 9144 9220 +76
+ Misses 327 257 -70
+ Partials 193 187 -6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-actions
bot
added
testing
GitHub Actions
|
Following a helpful suggestion by our neighbors at SunPy in sunpy/sunpy#8134, I'm leaning towards putting this as a standalone Nox session that can be put into our CI workflow. |
github-actions
bot
added
python
… pre-commit-zizmor
github-actions
bot
added
the
maintenance
namurphy
changed the title
zizmor as a pre-commit hook to perform GitHub workflow security auditszizmor during continuous integration tests
namurphy
changed the title
zizmor during continuous integration testszizmor
.github/workflows/changelog.yml
Outdated
| needs: add-no-changelog-label | ||
| steps: | ||
| - uses: scientific-python/action-towncrier-changelog@v1 | ||
| - uses: scientific-python/action-towncrier-changelog@v1 # zizmor: ignore[unpinned-uses] |
There was a problem hiding this comment.
The unpinned-uses rule checks that actions used via uses are pinned to a specific commit rather than the version. We can ignore this check for actions that come from trusted publishers.
|
|
||
| - name: Generate token | ||
| uses: tibdex/github-app-token@v2 | ||
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 |
There was a problem hiding this comment.
It seems reasonable to pin actions by the commit hash (for extra security) if they are released by individuals or small organizations.
| uv_output: str | bool = session.run(*uv_lock_upgrade, silent=running_on_ci) | ||
| uv_output: str | bool = session.run( | ||
| *uv_lock_upgrade, | ||
| *session.posargs, |
There was a problem hiding this comment.
[unrelated change] Including *session.posargs here makes it so that we can pass flags to uv when running the Nox session (i.e., nox -s requirements -- -v).
|
@rocco8773 — would you have a chance to review this in the next few days? With the changes merged and conflicts resolved from #2959, I don't think there should be anything controversion in this PR. Kind thanks! |
rocco8773
left a comment
rocco8773
left a comment
There was a problem hiding this comment.
Things looks good to me.
The only thing I go umm about is the use of # zimor: ignore[artipacked]. I'm not concerned about it being used, but more concerned a contributor might not know it exists and when to use it. I can just see myself updating a workflow in the future that causes a zizmor check to fail and I just forget that this inline comment exists.
I do not think adding a note about this to the documentation would help. The only thing I can think of doing is having a PR comment be made when zizmor check fails.
I do not think this needs to be resolved in the PR, but it is something to consider for a follow up PR.
That's an important point. ✅ It wouldn't be hard to have the Nox session for zizmor print out a troubleshooting message. 🤔
If I don't fix this now, I probably won't remember to later... 😅
Thanks for the helpful review! |
For trusted publishers.
github-actions
bot
added
the
run comprehensive tests
2 participants
zizmoris a static analysis tool to find common security issues in typical GitHub workflows. This PR:zizmorzizmor(like changingpull_request_target→pull_request, settingpersist-credentials: false, and setting strict default permissions).github/zizmor.ymlto ignorezizmorwarnings and errors that are more difficult to fix.The changes here are probably going to result in a bunch of conflicts in #2959, but it makes sense to merge this first.
Many thanks to the pyOpenSci community for helping me learn about
zizmorin the first place!Note
Several
zizmorchecks require a GitHub token, so running thezizmorNox session locally will skip certain checks.