From b1836110f7769866ecca6f7e0ecea8ff48876523 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 2 Sep 2025 09:29:06 -0400 Subject: [PATCH] chore(ci): address CI lint findings (#545) This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in. Key changes: * I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well. * I've marked every `actions/checkout` with `persist-credentials: false` except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment) * I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned. * I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps). --------- Signed-off-by: William Woodruff --- .github/workflows/codeql-analysis.yml | 12 +- .github/workflows/release-drafter.yml | 4 +- .github/workflows/test.yml | 154 +++++++++++++----- .github/workflows/update-known-versions.yml | 8 +- .github/workflows/update-major-minor-tags.yml | 6 +- 5 files changed, 139 insertions(+), 45 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 29f756b..985dba6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,6 +21,8 @@ on: branches: - main +permissions: {} + jobs: analyze: name: Analyze @@ -39,11 +41,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 with: languages: ${{ matrix.language }} source-root: src @@ -55,7 +59,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -69,4 +73,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 8a4d6f1..60d7877 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -8,6 +8,8 @@ on: branches: - main +permissions: {} + jobs: update_release_draft: name: ✏ī¸ Draft release @@ -17,6 +19,6 @@ jobs: pull-requests: read steps: - name: 🚀 Run Release Drafter - uses: release-drafter/release-drafter@v6.1.0 + uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 22fb2fd..4bd01d4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,11 +18,17 @@ permissions: jobs: lint: runs-on: ubuntu-latest + permissions: + security-events: write # for zizmor steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Actionlint uses: eifinger/actionlint-action@23c85443d840cd73bbecb9cddfc933cc21649a38 # v1.9.1 - - uses: actions/setup-node@v4 + - name: Run zizmor + uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "20" - run: | @@ -44,7 +50,9 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, macos-14, windows-latest] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install latest version id: setup-uv uses: ./ @@ -52,9 +60,17 @@ jobs: working-directory: __tests__/fixtures/uv-project shell: bash - name: Check uv-path is set - run: ${{ steps.setup-uv.outputs.uv-path }} --version + run: | + "${UV_PATH}" --version + shell: bash + env: + UV_PATH: ${{ steps.setup-uv.outputs.uv-path }} - name: Check uvx-path is set - run: ${{ steps.setup-uv.outputs.uvx-path }} --version + run: | + "${UVX_PATH}" --version + shell: bash + env: + UVX_PATH: ${{ steps.setup-uv.outputs.uvx-path }} test-specific-version: runs-on: ubuntu-latest @@ -62,7 +78,9 @@ jobs: matrix: uv-version: ["0.3.0", "0.3.2", "0.3", "0.3.x", ">=0.3.0"] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install version ${{ matrix.uv-version }} uses: ./ with: @@ -76,7 +94,9 @@ jobs: os: [ ubuntu-latest, selfhosted-ubuntu-arm64 ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install version 0.3 id: setup-uv uses: ./ @@ -99,7 +119,9 @@ jobs: test-pep440-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install version 0.4.30 id: setup-uv uses: ./ @@ -115,7 +137,9 @@ jobs: test-pyproject-file-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install version 0.5.14 id: setup-uv uses: ./ @@ -131,7 +155,9 @@ jobs: test-malformed-pyproject-file-fallback: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install using malformed pyproject.toml id: setup-uv uses: ./ @@ -142,7 +168,9 @@ jobs: test-uv-file-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install version 0.5.15 id: setup-uv uses: ./ @@ -158,7 +186,9 @@ jobs: test-version-file-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install from requirements file id: setup-uv uses: ./ @@ -174,7 +204,9 @@ jobs: test-version-file-hash-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install from requirements file id: setup-uv uses: ./ @@ -190,7 +222,9 @@ jobs: test-tool-versions-file-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install from .tools-versions file id: setup-uv uses: ./ @@ -213,7 +247,9 @@ jobs: - os: macos-latest checksum: "a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Checksum matches expected uses: ./ with: @@ -225,7 +261,9 @@ jobs: test-with-explicit-token: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install default version uses: ./ with: @@ -236,7 +274,9 @@ jobs: test-uvx: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install default version uses: ./ - run: uvx ruff --version @@ -253,7 +293,9 @@ jobs: windows-latest, ] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install default version uses: ./ - run: uv tool install ruff @@ -262,7 +304,9 @@ jobs: test-tilde-expansion-tool-dirs: runs-on: selfhosted-ubuntu-arm64 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -285,7 +329,9 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install latest version uses: ./ with: @@ -306,7 +352,9 @@ jobs: matrix: os: [ ubuntu-latest, macos-latest, windows-latest ] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install latest version uses: ./ with: @@ -327,7 +375,9 @@ jobs: runs-on: ubuntu-latest container: alpine steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install latest version uses: ./ - run: uv sync @@ -340,7 +390,9 @@ jobs: enable-cache: [ "true", "false", "auto" ] os: [ "ubuntu-latest", "selfhosted-ubuntu-arm64", "windows-latest" ] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -357,7 +409,9 @@ jobs: os: [ "ubuntu-latest", "selfhosted-ubuntu-arm64", "windows-latest" ] needs: test-setup-cache steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Restore with cache id: restore uses: ./ @@ -389,7 +443,9 @@ jobs: test-setup-cache-requirements-txt: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -403,7 +459,9 @@ jobs: runs-on: ubuntu-latest needs: test-setup-cache steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Restore with cache id: restore uses: ./ @@ -425,7 +483,9 @@ jobs: test-setup-cache-dependency-glob: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -440,7 +500,9 @@ jobs: runs-on: ubuntu-latest needs: test-setup-cache-dependency-glob steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Change pyproject.toml run: | echo '[tool.uv]' >> __tests__/fixtures/uv-project/pyproject.toml @@ -475,7 +537,9 @@ jobs: expected-cache-dir: "/home/ubuntu/.cache/uv" runs-on: ${{ matrix.inputs.os }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -490,7 +554,9 @@ jobs: test-setup-cache-local: runs-on: selfhosted-ubuntu-arm64 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup with cache uses: ./ with: @@ -503,7 +569,9 @@ jobs: runs-on: selfhosted-ubuntu-arm64 needs: test-setup-cache-local steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Restore with cache id: restore uses: ./ @@ -524,7 +592,9 @@ jobs: test-tilde-expansion-cache-local-path: runs-on: selfhosted-ubuntu-arm64 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Create cache directory run: mkdir -p ~/uv-cache shell: bash @@ -538,7 +608,9 @@ jobs: test-tilde-expansion-cache-dependency-glob: runs-on: selfhosted-ubuntu-arm64 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Create cache directory run: mkdir -p ~/uv-cache shell: bash @@ -571,7 +643,9 @@ jobs: test-no-python-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Fake pyproject.toml at root run: cp __tests__/fixtures/old-python-constraint-project/pyproject.toml pyproject.toml - name: Setup with cache @@ -584,7 +658,9 @@ jobs: test-custom-manifest-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install from custom manifest file uses: ./ with: @@ -601,7 +677,9 @@ jobs: test-absolute-path: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Create requirements.txt run: echo "uv==0.6.17" > /tmp/setup-uv-requirements.txt - name: Install from requirements file @@ -619,7 +697,9 @@ jobs: test-relative-path: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: mkdir run: mkdir -p /tmp/setup-uv-test-relative-path - name: Create requirements.txt diff --git a/.github/workflows/update-known-versions.yml b/.github/workflows/update-known-versions.yml index ad9b21b..c44947a 100644 --- a/.github/workflows/update-known-versions.yml +++ b/.github/workflows/update-known-versions.yml @@ -4,6 +4,8 @@ on: schedule: - cron: "0 4 * * *" # Run every day at 4am UTC +permissions: {} + jobs: build: runs-on: ubuntu-24.04-arm @@ -11,8 +13,10 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "20" - name: Update known versions diff --git a/.github/workflows/update-major-minor-tags.yml b/.github/workflows/update-major-minor-tags.yml index 33d16fb..067201e 100644 --- a/.github/workflows/update-major-minor-tags.yml +++ b/.github/workflows/update-major-minor-tags.yml @@ -8,6 +8,8 @@ on: tags: - "v*.*.*" +permissions: {} + jobs: update_major_minor_tags: name: Make sure major and minor tags are up to date on a patch release @@ -15,7 +17,9 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: true # needed for git push below - name: Update Major Minor Tags run: | set -x