[CI] Add zizmor workflow #20437
[CI] Add zizmor workflow #20437
Conversation
Zizmor is a static analysis tool for GitHub Actions. See https://github.com/zizmorcore/zizmor This is necessary to improve the security of the repository and releases. Analysis results can be found in the Security tab.
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
There was a problem hiding this comment.
Is my understanding correct that this change detects and scans yaml files assuming some folder structure of .github / devops folders?
If such, are the hardcoded paths something intentional and you want to keep track of the target folders structure changes in the future OR it is an initial temporal solution and eventually you want something more flexible?
Thanks,
-S
There was a problem hiding this comment.
Sorry, not sure what you mean by "some folder structure". Workflow files are always stored in the .github/workflows/ directory, and our composite actions are stored in devops/actions. I don't think this will ever change.
Also, this workflow downloads and scans only .github/workflows/sycl-* & .github/workflows/ur-* ymls and all ymls in the devops/actions directory, as I believe it's the only workflows we launch here in intel/llvm (@intel/dpcpp-devops-reviewers right?). It's intended to avoid alerts in workflows we don't even run.
Does this answer your question? If not, could you please clarify what you mean.
There was a problem hiding this comment.
Workflow files are always stored in the .github/workflows/ directory
How reliable this statement is? Should it be possible to commit and run a workflow file from a different folder?
Also, this workflow downloads and scans only .github/workflows/sycl-* & .github/workflows/ur-* ymls and all ymls in the devops/actions directory, as I believe it's the only workflows we launch here in intel/llvm (@intel/dpcpp-devops-reviewers right?). It's intended to avoid alerts in workflows we don't even run.
From security point of view having a list of explicitly disabled for scanning items is preferred vs. the list of 'enabled' items, so when unclassified item is added it goes through the scanning by default until it is disabled explicitly.
There was a problem hiding this comment.
How reliable this statement is? Should it be possible to commit and run a workflow file from a different folder?
It's just how GitHub works - all workflows should be placed in the .github/workflows directory to be launched, so it's not possible to run a workflow file from a different folder.
From security point of view having a list of explicitly disabled for scanning items is preferred vs. the list of 'enabled' items, so when unclassified item is added it goes through the scanning by default until it is disabled explicitly.
Nevertheless, composite actions may be placed anywhere. But I believe here in intel/llvm the devops team won't allow a developer to place a composite action anywhere but the devops/actions directory. And as I see in llvm/llvm-project composite actions are always stored right in the .github/workflows dir, although I didn't find any strict policy about this.
Anyways, I've updated the patch to not only scan sycl-* and ur-* workflow files in .github/workflows, but the whole directory. If this is still not good enough, we can switch to scanning the whole repo.
There was a problem hiding this comment.
Thanks for following up on that.
Anyways, I've updated the patch to not only scan sycl-* and ur-* workflow files in .github/workflows, but the whole directory.
Might be good enough given your explanations wrt github limitations.
Although, shouldn't we drop sycl-* and ur-* masks in "on:" section either?
If this is still not good enough, we can switch to scanning the whole repo.
I'd recommend adding comments from your paragraph about devops/actions directory somewhere in this file. Something along the lines that we may consider scanning whole repo rather than devops/actions only if we want to harden security...
There was a problem hiding this comment.
Although, shouldn't we drop sycl-* and ur-* masks in "on:" section either?
Oops, right, updated.
I'd recommend adding comments from your paragraph about devops/actions directory somewhere in this file. Something along the lines that we may consider scanning whole repo rather than devops/actions only if we want to harden security...
Added a comment.
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
KornevNikita
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
KornevNikita
had a problem deploying
to
WindowsCILock
GitHub Actions
Error
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
| sparse-checkout: | | ||
| .github/workflows/ | ||
| devops/actions/ | ||
| .github/workflows/**/*.yml |
There was a problem hiding this comment.
** wildcard is resolved with recursive walk including visiting current folder '.', right?
Meaning that ".github/workflows/**/*.yml" matches both cases:
.github/workflows/a1.yml
.github/workflows/fld/a2.yml
correct?
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
had a problem deploying
to
WindowsCILock
GitHub Actions
Failure
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
|
@intel/llvm-gatekeepers please consider merging |
|
@intel/llvm-gatekeepers yep, this one is ready, please merge. |
5 participants
Zizmor is a static analysis tool for GitHub Actions. See https://github.com/zizmorcore/zizmor
This is necessary to improve the security of the repository and releases. Analysis results can be found in the Security tab.