From 8c260a59879ac3dd01d81f2cb6944554e714638d Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Thu, 31 Oct 2024 16:21:39 +0100 Subject: [PATCH] Thank you Doctor Zizmor! --- .github/workflows/ci.yml | 15 ++++++++--- .github/workflows/codeql-analysis.yml | 10 +++---- .github/workflows/wheels.yml | 1 + .github/workflows/zizmor.yml | 38 +++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60af479..fda2fc2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} @@ -43,8 +44,9 @@ jobs: - run: python -Im pip install tox - name: Determine Python version for tox + env: + V: ${{ matrix.python-version }} run: | - V=${{ matrix.python-version }} if [[ "$V" = pypy-* ]]; then V=$(echo $V | tr -d .-) else @@ -53,7 +55,7 @@ jobs: echo TOX_PYTHON=$V >>$GITHUB_ENV - - run: python -Im tox run -f ${{ env.TOX_PYTHON }} + - run: python -Im tox run -f $TOX_PYTHON system-package: runs-on: ubuntu-latest @@ -61,6 +63,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version-file: .python-version-default @@ -82,6 +86,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 id: baipp @@ -91,7 +96,9 @@ jobs: python-version: "3.x" # use the one that baipp used # Smoke-check the wheel against argon2-cffi. - - run: python -Im pip install ${{ steps.baipp.outputs.dist }}/*.whl + - run: python -Im pip install $DIST/*.whl + env: + DIST: ${{ steps.baipp.outputs.dist }} - run: python -Im pip install --no-deps git+https://github.com/hynek/argon2-cffi.git - run: python -Im argon2 -n 1 -t 1 -m 8 -p 1 @@ -107,6 +114,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip @@ -127,6 +135,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: recursive + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1e575cc..fd85057 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,11 +2,6 @@ name: CodeQL on: - push: - branches: [main] - pull_request: - # The branches below must be a subset of the branches above - branches: [main] schedule: - cron: "30 22 * * 4" @@ -30,11 +25,16 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml index 4a04ac3..17df561 100644 --- a/.github/workflows/wheels.yml +++ b/.github/workflows/wheels.yml @@ -29,6 +29,7 @@ jobs: submodules: recursive fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Set up QEMU if: runner.os == 'Linux' diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..bef3152 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,38 @@ +# https://github.com/woodruffw/zizmor +name: GitHub Actions Security Analysis with Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +permissions: + contents: read + + +jobs: + zizmor: + name: Zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor