Skip to content

Commit

Permalink
Improve security of our GitHub Actions (#18413)
Browse files Browse the repository at this point in the history
Recently CPython introduced this new tool:
https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67

Which finds different security related problems with GitHub Actions.

I added this tool to our `.pre-commit-config.yaml` and followed all its
recommendations.

Changes:
- I added `persist-credentials: false` to all `checkout` actions, see `#
Whether to configure the token or SSH key with the local git config` in
https://github.com/actions/checkout
- I moved all permissions from workflow level to job level
- I changed `.github/workflows/mypy_primer_comment.yml` to be a reusable
workflow, see
https://woodruffw.github.io/zizmor/audits/#dangerous-triggers
  • Loading branch information
sobolevn authored Jan 14, 2025
1 parent d7ebe2e commit a6c1184
Show file tree
Hide file tree
Showing 9 changed files with 41 additions and 15 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/build_wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,16 @@ on:
tags: ['*']

permissions:
contents: write
contents: read

jobs:
build-wheels:
if: github.repository == 'python/mypy'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.11'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:
VERIFY_MYPY_ERROR_CODES: 1
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: '3.12'
Expand Down
5 changes: 1 addition & 4 deletions .github/workflows/mypy_primer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ jobs:
mypy_primer:
name: Run mypy_primer
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
shard-index: [0, 1, 2, 3, 4]
Expand All @@ -38,6 +36,7 @@ jobs:
with:
path: mypy_to_test
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.12"
Expand Down Expand Up @@ -93,8 +92,6 @@ jobs:
name: Join artifacts
runs-on: ubuntu-latest
needs: [mypy_primer]
permissions:
contents: read
steps:
- name: Merge artifacts
uses: actions/upload-artifact/merge@v4
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/mypy_primer_comment.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
name: Comment with mypy_primer diff

on:
on: # zizmor: ignore[dangerous-triggers]
workflow_run:
workflows:
- Run mypy_primer
types:
- completed

permissions:
contents: read
pull-requests: write
permissions: {}

jobs:
comment:
name: Comment PR from mypy_primer
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Download diffs
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/sync_typeshed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,22 @@ on:
schedule:
- cron: "0 0 1,15 * *"

permissions:
contents: write
pull-requests: write
permissions: {}

jobs:
sync_typeshed:
name: Sync typeshed
if: github.repository == 'python/mypy'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: true # needed to `git push` the PR branch
# TODO: use whatever solution ends up working for
# https://github.com/python/typeshed/issues/8434
- uses: actions/setup-python@v5
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Debug build
if: ${{ matrix.debug_build }}
Expand Down Expand Up @@ -217,6 +219,8 @@ jobs:
CC: i686-linux-gnu-gcc
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install 32-bit build dependencies
run: |
sudo dpkg --add-architecture i386 && \
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test_stubgenc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ jobs:
steps:

- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Setup 🐍 3.9
uses: actions/setup-python@v5
Expand Down
20 changes: 18 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,11 @@ repos:
- id: ruff
args: [--exit-non-zero-on-fix]
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.30.0
rev: 0.31.0
hooks:
- id: check-dependabot
- id: check-github-workflows
- id: check-github-actions
- id: check-readthedocs
- repo: https://github.com/rhysd/actionlint
rev: v1.7.6
hooks:
Expand All @@ -29,5 +30,20 @@ repos:
-ignore=property "allow_failure" is not defined,
-ignore=SC2(046|086),
]
additional_dependencies:
# actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions
# and checks these with shellcheck. This is arguably its most useful feature,
# but the integration only works if shellcheck is installed
- "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0"
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v1.0.1
hooks:
- id: zizmor
# Should be the last one:
- repo: meta
hooks:
- id: check-hooks-apply
- id: check-useless-excludes

ci:
autoupdate_schedule: quarterly
2 changes: 1 addition & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ branding:
runs:
using: composite
steps:
- name: mypy setup
- name: mypy setup # zizmor: ignore[template-injection]
shell: bash
run: |
echo ::group::Installing mypy...
Expand Down

0 comments on commit a6c1184

Please sign in to comment.