Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Zizmor audit #29251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 9, 2024
Merged

Zizmor audit #29251

merged 4 commits into from
Dec 9, 2024

Conversation

QuLogic
Copy link
Member

@QuLogic QuLogic commented Dec 7, 2024

PR summary

This applies suggestions from zizmor to increase the security of the Actions workflows. Currently, we can almost pass the "auditor" persona (the strictest) except for:

  • "expression may expand into a self-hosted runner", but we don't have any self-hosted runners, so this is a false positive.
  • "pull_request_target is almost always used insecurely", but we do not a) use user-controlled target substitutions, nor b) run any code from the checkout. So I believe these are safe as nothing user-controlled can be injected.

I do not believe we have any glaring security holes here, but this PR just avoids any cause for concern from auditing.

PR checklist

@QuLogic
Drop credential persistence from GitHub workflows
3609ca3 
We only have a public repo, and should have locked down permissions on
the token, but it's best practice not to leak these out into other steps
of the job.
@QuLogic
Reduce permissions in workflows
5b9f4bc 
Moved the permissions to the jobs that need them, though this is
probably not a big change for the reviewdog workflow. Also drop the
`pull-request` permission from the reviewdog workflow, as it's not in
the mypy-stubtest one, and still seems to work.
@QuLogic
Avoid potentialy user-controlled template expansion in workflows
811b090 
I don't believe `do_no_merge.yml` is unsafe, but there's no need to echo
the environment variable (it'll either pass or fail based on the value
anyway.)

I also don't think the `circleci.yml` context variable is vulnerable,
but zizmor warns about it, and it's easy to avoid if turns out to be
vulnerable.
@github-actions github-actions bot added CI: Run cibuildwheel Run wheel building tests on a PR CI: Run cygwin Run cygwin tests on a PR topic: pyplot API labels Dec 7, 2024
@QuLogic
Copy link
Member Author

QuLogic commented Dec 7, 2024

I pushed a commit to break linting and confirm that reviewdog was still working, and it seems to have posted the failures correctly without the pull-request permission, so I'll drop that commit now.

@tacaswell tacaswell added this to the v3.10.0 milestone Dec 9, 2024
@timhoffm timhoffm merged commit f0ecacc into matplotlib:main Dec 9, 2024
44 checks passed
meeseeksmachine pushed a commit to meeseeksmachine/matplotlib that referenced this pull request Dec 9, 2024
@timhoffm @meeseeksmachine
Backport PR matplotlib#29251: Zizmor audit
1840162
@meeseeksmachine meeseeksmachine mentioned this pull request Dec 9, 2024
Merged
@QuLogic QuLogic deleted the zizmor-audit branch December 9, 2024 22:53
greglucas added a commit that referenced this pull request Dec 9, 2024
@greglucas
Merge pull request #29266 from meeseeksmachine/auto-backport-of-pr-29…
1891bf0 
…251-on-v3.10.x

Backport PR #29251 on branch v3.10.x (Zizmor audit)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tacaswell tacaswell tacaswell approved these changes

@timhoffm timhoffm timhoffm approved these changes

Assignees
No one assigned
Labels
CI: Run cibuildwheel Run wheel building tests on a PR CI: Run cygwin Run cygwin tests on a PR
Projects
None yet
Milestone
v3.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@QuLogic @tacaswell @timhoffm