From 59ee135ccec1689ab711ff718a718e6b69330c5c Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Sun, 1 Dec 2024 11:55:23 +0100 Subject: [PATCH] Harden GitHub Actions workflows Update all GitHub Actions workflows following an analysis by zizmor [1]. In particular, this avoids persisting git credentials when the job does not need it, there's only one job that needs it which is the one that updates the major version branch upon releases. Zizmor did have more concerns but these were not addressed, namely: - Overly permissive `permissions: read-all`: I think this is okay, the project is entirely open so I don't see a risk of an attacker reading anything. - Use of `pull_request_target: ~` in labeler.yml: as far as I'm aware this is the only way to have this setup work, and it does not run any untrusted code. -- 1. https://github.com/woodruffw/zizmor --- .github/workflows/check.yml | 10 ++++++++++ .github/workflows/publish.yml | 2 ++ .github/workflows/semgrep.yml | 2 ++ .github/workflows/test.yml | 4 ++++ .github/workflows/tooling.yml | 2 ++ .github/workflows/transitive-actions.yml | 2 ++ 6 files changed, 22 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c40565c..31227e4 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Lint @@ -24,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Lint @@ -36,6 +40,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Static application security testing run: make sast shell: @@ -44,6 +50,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Lint @@ -56,6 +64,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Lint diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c9967bf..b2493b1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -50,6 +50,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Get version uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0 id: version diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index b397714..a6f7800 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -19,6 +19,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Perform Semgrep analysis run: semgrep ci --sarif --output semgrep.sarif env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 88804cb..5fc7230 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Run bare action @@ -33,6 +35,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Install tooling uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 - name: Install kcov (from package) diff --git a/.github/workflows/tooling.yml b/.github/workflows/tooling.yml index a75a075..8cc18c5 100644 --- a/.github/workflows/tooling.yml +++ b/.github/workflows/tooling.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Create token to create Pull Request uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: automation-token diff --git a/.github/workflows/transitive-actions.yml b/.github/workflows/transitive-actions.yml index bb7afc7..158076c 100644 --- a/.github/workflows/transitive-actions.yml +++ b/.github/workflows/transitive-actions.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + with: + persist-credentials: false - name: Create token to create Pull Request uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: automation-token