Improve security of our GitHub Actions #18413

sobolevn · 2025-01-02T22:04:02Z

Recently CPython introduced this new tool: https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67

Which finds different security related problems with GitHub Actions.

I added this tool to our .pre-commit-config.yaml and followed all its recommendations.

Changes:

I added persist-credentials: false to all checkout actions, see # Whether to configure the token or SSH key with the local git config in https://github.com/actions/checkout
I moved all permissions from workflow level to job level
I changed .github/workflows/mypy_primer_comment.yml to be a reusable workflow, see https://woodruffw.github.io/zizmor/audits/#dangerous-triggers

sobolevn · 2025-01-02T22:08:57Z

CC @hugovk

.github/workflows/sync_typeshed.yml

AlexWaygood

Nice, this overall looks great! I'm not familiar with the workflow_call/workflow_run distinction, though, so I haven't looked closely at that. (It looks reasonable, though.)

Another change you might want to make is to list shellcheck as an additional_dependency of actionlint -- I made this change to Ruff's pre-commit config: https://github.com/astral-sh/ruff/blob/0837cdd9314cb9ee1df087142af975d492e3e7ba/.pre-commit-config.yaml#L103-L121. actionlint's shellcheck integration is very useful (it grabs the shell-script strings in GitHub Actions run: steps and passes them to shellcheck), but it's not enabled by default when actionlint is run as part of pre-commit, as actionlint's shellcheck integration only works if shellcheck is already installed.

.github/workflows/build_wheels.yml

.github/workflows/mypy_primer.yml

.github/workflows/sync_typeshed.yml

.github/workflows/docs.yml

.github/workflows/mypy_primer_comment.yml

.github/workflows/sync_typeshed.yml

.github/workflows/reusable_mypy_primer_comment.yml

.github/workflows/build_wheels.yml

github-actions · 2025-01-08T09:58:00Z

According to mypy_primer, this change doesn't affect type check results on a corpus of open source code. ✅

sobolevn · 2025-01-12T09:52:36Z

Going to do the last ping for reviews :)
Planning to merge this in a couple of days.

AlexWaygood

LGTM

Improve security of our GitHub Actions

81e188c

sobolevn requested review from JelleZijlstra and hauntsaninja January 2, 2025 22:04

sobolevn added 2 commits January 3, 2025 01:07

Improve security of our GitHub Actions

234cd37

Fix CI

ef0d211

sobolevn added 5 commits January 3, 2025 01:15

Fix CI

2b5f024

Fix CI

0d59344

Fix CI

a809119

Fix CI

e9ead65

Fix CI

46d0544

A5rocks suggested changes Jan 3, 2025

View reviewed changes

.github/workflows/sync_typeshed.yml Outdated Show resolved Hide resolved

Fix CI

2234fd7

sobolevn requested a review from AlexWaygood January 3, 2025 08:36

This comment has been minimized.

Sign in to view

AlexWaygood reviewed Jan 3, 2025

View reviewed changes

.github/workflows/build_wheels.yml Show resolved Hide resolved

.github/workflows/mypy_primer.yml Outdated Show resolved Hide resolved

.github/workflows/sync_typeshed.yml Outdated Show resolved Hide resolved

sobolevn added 2 commits January 3, 2025 15:02

Address review

695743d

Fix CI

985513f

cdce8p reviewed Jan 3, 2025

View reviewed changes

.github/workflows/docs.yml Show resolved Hide resolved

This comment has been minimized.

Sign in to view

webknjaz reviewed Jan 3, 2025

View reviewed changes

.github/workflows/mypy_primer_comment.yml Show resolved Hide resolved

webknjaz reviewed Jan 3, 2025

View reviewed changes

.github/workflows/mypy_primer_comment.yml Show resolved Hide resolved

webknjaz reviewed Jan 3, 2025

View reviewed changes

.github/workflows/sync_typeshed.yml Show resolved Hide resolved

sobolevn added 2 commits January 3, 2025 19:50

Address review

04dde47

More pre-commit checks based on jsonschema

45cdb40

This comment has been minimized.

Sign in to view

cdce8p reviewed Jan 4, 2025

View reviewed changes

.github/workflows/reusable_mypy_primer_comment.yml Outdated Show resolved Hide resolved

sobolevn mentioned this pull request Jan 4, 2025

Add zizmor #18414

Closed

Revert mypy_primer_comment.yml changes

cfad948

cdce8p reviewed Jan 8, 2025

View reviewed changes

.github/workflows/build_wheels.yml Outdated Show resolved Hide resolved

Adress review

d44ea68

This comment has been minimized.

Sign in to view

Fix CI

1e9e509

AlexWaygood approved these changes Jan 13, 2025

View reviewed changes

sobolevn merged commit a6c1184 into master Jan 14, 2025
18 checks passed

sobolevn deleted the add-zizmor branch January 14, 2025 12:21

Uh oh!

Improve security of our GitHub Actions #18413

Improve security of our GitHub Actions #18413

Uh oh!

Conversation

sobolevn commented Jan 2, 2025

Uh oh!

sobolevn commented Jan 2, 2025

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

AlexWaygood left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

Uh oh!

This comment has been minimized.

github-actions bot commented Jan 8, 2025

Uh oh!

sobolevn commented Jan 12, 2025

Uh oh!

AlexWaygood left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

AlexWaygood left a comment •

edited

Loading