Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Zizmor audit #29251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Dec 9, 2024
Merged

Zizmor audit #29251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3609ca3
Drop credential persistence from GitHub workflows
QuLogic Dec 6, 2024
5b9f4bc
Reduce permissions in workflows
QuLogic Dec 7, 2024
811b090
Avoid potentialy user-controlled template expansion in workflows
QuLogic Dec 7, 2024
06eb6b7
Pin all actions to SHA commits
QuLogic Dec 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions .github/workflows/cibuildwheel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,12 @@ jobs:
SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }}

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

- uses: actions/setup-python@v5
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
name: Install Python
with:
python-version: '3.10'
Expand All @@ -69,7 +70,7 @@ jobs:
run: twine check dist/*

- name: Upload sdist result
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: cibw-sdist
path: dist/*.tar.gz
Expand Down Expand Up @@ -132,12 +133,12 @@ jobs:
steps:
- name: Set up QEMU
if: matrix.cibw_archs == 'aarch64'
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64

- name: Download sdist
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: cibw-sdist
path: dist/
Expand Down Expand Up @@ -201,7 +202,7 @@ jobs:
unset PIP_CONSTRAINT
if: matrix.cibw_archs != 'aarch64' && matrix.os != 'windows-latest'

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: cibw-wheels-${{ runner.os }}-${{ matrix.cibw_archs }}
path: ./wheelhouse/*.whl
Expand All @@ -219,7 +220,7 @@ jobs:
contents: read
steps:
- name: Download packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: cibw-*
path: dist
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/circleci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,20 @@ jobs:
runs-on: ubuntu-latest
name: Post warnings/errors as review
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Fetch result artifacts
id: fetch-artifacts
env:
target_url: "${{ github.event.target_url }}"
run: |
python .circleci/fetch_doc_logs.py "${{ github.event.target_url }}"
python .circleci/fetch_doc_logs.py "${target_url}"

- name: Set up reviewdog
if: "${{ steps.fetch-artifacts.outputs.count != 0 }}"
uses: reviewdog/action-setup@v1
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
with:
reviewdog_version: latest

Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/clean_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,10 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: '0'
persist-credentials: false
- name: Check for added-and-deleted files
run: |
git fetch --quiet origin "$GITHUB_BASE_REF"
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,12 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
languages: ${{ matrix.language }}

Expand All @@ -40,4 +42,4 @@ jobs:
pip install --user -v .

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
5 changes: 2 additions & 3 deletions .github/workflows/conflictcheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,11 @@ on:
pull_request_target:
types: [synchronize]

permissions:
pull-requests: write

jobs:
main:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Check if PRs have merge conflicts
uses: eps1lon/actions-label-merge-conflict@1b1b1fcde06a9b3d089f3464c96417961dde1168 # v3.0.2
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/cygwin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,12 @@ jobs:
- name: Fix line endings
run: git config --global core.autocrlf input

- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
persist-credentials: false

- uses: cygwin/cygwin-install-action@v4
- uses: cygwin/cygwin-install-action@006ad0b0946ca6d0a3ea2d4437677fa767392401 # v4
with:
packages: >-
ccache gcc-g++ gdb git graphviz libcairo-devel libffi-devel
Expand Down Expand Up @@ -139,21 +140,21 @@ jobs:
# FreeType build fails with bash, succeeds with dash

- name: Cache pip
uses: actions/cache@v4
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: C:\cygwin\home\runneradmin\.cache\pip
key: Cygwin-py3.${{ matrix.python-minor-version }}-pip-${{ hashFiles('requirements/*/*.txt') }}
restore-keys: ${{ matrix.os }}-py3.${{ matrix.python-minor-version }}-pip-

- name: Cache ccache
uses: actions/cache@v4
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: C:\cygwin\home\runneradmin\.ccache
key: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-${{ hashFiles('src/*') }}
restore-keys: Cygwin-py3.${{ matrix.python-minor-version }}-ccache-

- name: Cache Matplotlib
uses: actions/cache@v4
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: |
C:\cygwin\home\runneradmin\.cache\matplotlib
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/do_not_merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ jobs:
echo "This PR cannot be merged because it has one of the following labels: "
echo "* status: needs comment/discussion"
echo "* status: waiting for other PR"
echo "${{env.has_tag}}"
exit 1
- name: Allow merging
if: ${{'false' == env.has_tag}}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/good-first-issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
issues: write
steps:
- name: Add comment
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
issue-number: ${{ github.event.issue.number }}
body: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
sync-labels: true
11 changes: 7 additions & 4 deletions .github/workflows/mypy-stubtest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,25 @@ on: [pull_request]

permissions:
contents: read
checks: write

jobs:
mypy-stubtest:
name: mypy-stubtest
runs-on: ubuntu-latest
permissions:
checks: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Set up Python 3
uses: actions/setup-python@v5
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'

- name: Set up reviewdog
uses: reviewdog/action-setup@v1
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9

- name: Install tox
run: python -m pip install tox
Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/pr_welcome.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,13 @@ name: PR Greetings

on: [pull_request_target]

permissions:
pull-requests: write

jobs:
greeting:
runs-on: ubuntu-latest

permissions:
pull-requests: write
steps:
- uses: actions/first-interaction@v1
- uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: >+
Expand Down
30 changes: 20 additions & 10 deletions .github/workflows/reviewdog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,26 +4,28 @@ on: [pull_request]

permissions:
contents: read
checks: write
pull-requests: write

jobs:
flake8:
name: flake8
runs-on: ubuntu-latest
permissions:
checks: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Set up Python 3
uses: actions/setup-python@v5
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'

- name: Install flake8
run: pip3 install -r requirements/testing/flake8.txt

- name: Set up reviewdog
uses: reviewdog/action-setup@v1
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9

- name: Run flake8
env:
Expand All @@ -36,19 +38,23 @@ jobs:
mypy:
name: mypy
runs-on: ubuntu-latest
permissions:
checks: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Set up Python 3
uses: actions/setup-python@v5
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.10'

- name: Install mypy
run: pip3 install -r requirements/testing/mypy.txt -r requirements/testing/all.txt

- name: Set up reviewdog
uses: reviewdog/action-setup@v1
uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.9

- name: Run mypy
env:
Expand All @@ -63,11 +69,15 @@ jobs:
eslint:
name: eslint
runs-on: ubuntu-latest
permissions:
checks: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: eslint
uses: reviewdog/action-eslint@v1
uses: reviewdog/action-eslint@9b5b0150e399e1f007ee3c27bc156549810a64e3 # v1.33.0
with:
filter_mode: nofilter
github_token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale-tidy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
if: github.repository == 'matplotlib/matplotlib'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
operations-per-run: 300
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
if: github.repository == 'matplotlib/matplotlib'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
operations-per-run: 20
Expand Down
Loading
Loading