From b3a22a1432473e68ceb00b2543b53f0f10133f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tin=20Tvrtkovi=C4=87?= Date: Sat, 30 Nov 2024 23:16:06 +0100 Subject: [PATCH 1/2] Introduce zizmor --- .github/workflows/zizmor.yml | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..4b10100c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,38 @@ +# https://github.com/woodruffw/zizmor +name: Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +permissions: + contents: read + + +jobs: + zizmor: + name: Zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor \ No newline at end of file From 086fde3f5265bece6a48ae88d55b00e98ed6d0b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tin=20Tvrtkovi=C4=87?= Date: Sat, 30 Nov 2024 23:25:54 +0100 Subject: [PATCH 2/2] harden workflows --- .github/workflows/main.yml | 6 ++++++ .github/workflows/pypi-package.yml | 9 +++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d348ab6b..47d1d2dc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "pdm-project/setup-pdm@v4" with: @@ -48,6 +50,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "actions/setup-python@v5" with: @@ -104,6 +108,8 @@ jobs: steps: - uses: "actions/checkout@v4" + with: + persist-credentials: false - uses: "pdm-project/setup-pdm@v4" with: python-version: "3.12" diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 63c6b784..d19c1b96 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -10,10 +10,6 @@ on: - published workflow_dispatch: -permissions: - contents: read - id-token: write - jobs: build-package: name: Build & verify package @@ -23,6 +19,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v1 @@ -33,6 +30,8 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write steps: - name: Download packages built by build-and-inspect-python-package @@ -53,6 +52,8 @@ jobs: if: github.event.action == 'published' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write steps: - name: Download packages built by build-and-inspect-python-package