From a6c1184f7ef3cddcd070a45803cd3b352f128a29 Mon Sep 17 00:00:00 2001 From: sobolevn Date: Tue, 14 Jan 2025 15:21:45 +0300 Subject: [PATCH] Improve security of our GitHub Actions (#18413) Recently CPython introduced this new tool: https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67 Which finds different security related problems with GitHub Actions. I added this tool to our `.pre-commit-config.yaml` and followed all its recommendations. Changes: - I added `persist-credentials: false` to all `checkout` actions, see `# Whether to configure the token or SSH key with the local git config` in https://github.com/actions/checkout - I moved all permissions from workflow level to job level - I changed `.github/workflows/mypy_primer_comment.yml` to be a reusable workflow, see https://woodruffw.github.io/zizmor/audits/#dangerous-triggers --- .github/workflows/build_wheels.yml | 4 +++- .github/workflows/docs.yml | 2 ++ .github/workflows/mypy_primer.yml | 5 +---- .github/workflows/mypy_primer_comment.yml | 9 +++++---- .github/workflows/sync_typeshed.yml | 8 +++++--- .github/workflows/test.yml | 4 ++++ .github/workflows/test_stubgenc.yml | 2 ++ .pre-commit-config.yaml | 20 ++++++++++++++++++-- action.yml | 2 +- 9 files changed, 41 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build_wheels.yml b/.github/workflows/build_wheels.yml index 8055cfd24180..dae4937d5081 100644 --- a/.github/workflows/build_wheels.yml +++ b/.github/workflows/build_wheels.yml @@ -6,7 +6,7 @@ on: tags: ['*'] permissions: - contents: write + contents: read jobs: build-wheels: @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.11' diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 112102954dd3..3f945b84b7f0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -35,6 +35,8 @@ jobs: VERIFY_MYPY_ERROR_CODES: 1 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' diff --git a/.github/workflows/mypy_primer.yml b/.github/workflows/mypy_primer.yml index 54fa2177716c..cf62ce24fb9e 100644 --- a/.github/workflows/mypy_primer.yml +++ b/.github/workflows/mypy_primer.yml @@ -26,8 +26,6 @@ jobs: mypy_primer: name: Run mypy_primer runs-on: ubuntu-latest - permissions: - contents: read strategy: matrix: shard-index: [0, 1, 2, 3, 4] @@ -38,6 +36,7 @@ jobs: with: path: mypy_to_test fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.12" @@ -93,8 +92,6 @@ jobs: name: Join artifacts runs-on: ubuntu-latest needs: [mypy_primer] - permissions: - contents: read steps: - name: Merge artifacts uses: actions/upload-artifact/merge@v4 diff --git a/.github/workflows/mypy_primer_comment.yml b/.github/workflows/mypy_primer_comment.yml index 72f111b96c53..21f1222a5b89 100644 --- a/.github/workflows/mypy_primer_comment.yml +++ b/.github/workflows/mypy_primer_comment.yml @@ -1,20 +1,21 @@ name: Comment with mypy_primer diff -on: +on: # zizmor: ignore[dangerous-triggers] workflow_run: workflows: - Run mypy_primer types: - completed -permissions: - contents: read - pull-requests: write +permissions: {} jobs: comment: name: Comment PR from mypy_primer runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Download diffs diff --git a/.github/workflows/sync_typeshed.yml b/.github/workflows/sync_typeshed.yml index 84d246441f3d..2d5361a5919c 100644 --- a/.github/workflows/sync_typeshed.yml +++ b/.github/workflows/sync_typeshed.yml @@ -5,20 +5,22 @@ on: schedule: - cron: "0 0 1,15 * *" -permissions: - contents: write - pull-requests: write +permissions: {} jobs: sync_typeshed: name: Sync typeshed if: github.repository == 'python/mypy' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write timeout-minutes: 10 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: true # needed to `git push` the PR branch # TODO: use whatever solution ends up working for # https://github.com/python/typeshed/issues/8434 - uses: actions/setup-python@v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 97bc62e002c5..a57d08fa4da8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -136,6 +136,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Debug build if: ${{ matrix.debug_build }} @@ -217,6 +219,8 @@ jobs: CC: i686-linux-gnu-gcc steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install 32-bit build dependencies run: | sudo dpkg --add-architecture i386 && \ diff --git a/.github/workflows/test_stubgenc.yml b/.github/workflows/test_stubgenc.yml index 115eb047556e..4676acf8695b 100644 --- a/.github/workflows/test_stubgenc.yml +++ b/.github/workflows/test_stubgenc.yml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup 🐍 3.9 uses: actions/setup-python@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 587a16b3fb72..dc411c6da49b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,10 +16,11 @@ repos: - id: ruff args: [--exit-non-zero-on-fix] - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.30.0 + rev: 0.31.0 hooks: - - id: check-dependabot - id: check-github-workflows + - id: check-github-actions + - id: check-readthedocs - repo: https://github.com/rhysd/actionlint rev: v1.7.6 hooks: @@ -29,5 +30,20 @@ repos: -ignore=property "allow_failure" is not defined, -ignore=SC2(046|086), ] + additional_dependencies: + # actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions + # and checks these with shellcheck. This is arguably its most useful feature, + # but the integration only works if shellcheck is installed + - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0" + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.0.1 + hooks: + - id: zizmor + # Should be the last one: + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes + ci: autoupdate_schedule: quarterly diff --git a/action.yml b/action.yml index df8715327830..732929412651 100644 --- a/action.yml +++ b/action.yml @@ -32,7 +32,7 @@ branding: runs: using: composite steps: - - name: mypy setup + - name: mypy setup # zizmor: ignore[template-injection] shell: bash run: | echo ::group::Installing mypy...