From c6c7edc99be95cffa4773526c88269c064de4897 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 13 Nov 2024 07:29:43 -0600 Subject: [PATCH 1/2] PYTHON-4970 Adopt zizmor GitHub Actions security scanner --- .github/workflows/benchmark.yml | 2 ++ .github/workflows/release-python.yml | 2 ++ .github/workflows/test-python.yml | 6 ++++++ .github/workflows/zizmor.yml | 32 ++++++++++++++++++++++++++++ 4 files changed, 42 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 1b99d402..a6eab212 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -22,6 +22,8 @@ jobs: fail-fast: false steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 90cc82df..9d46bf64 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -45,6 +45,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up python version run: | @@ -99,6 +100,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index 2996644f..3f283c53 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -22,6 +22,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 - uses: pre-commit/action@v3.0.1 with: @@ -38,6 +40,8 @@ jobs: name: CPython ${{ matrix.python-version }}-${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v5 with: @@ -93,6 +97,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..92bd4fb4 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["master"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From cc6b77873d3989a3d08f87eda22255a0ff926ae0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 13 Nov 2024 07:30:47 -0600 Subject: [PATCH 2/2] change target branch --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 92bd4fb4..0fbdbd6d 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -2,7 +2,7 @@ name: GitHub Actions Security Analysis with zizmor on: push: - branches: ["master"] + branches: ["main"] pull_request: branches: ["**"]