ci: add zizmor action #1422
ci: add zizmor action #1422
Conversation
github-actions
bot
added
the
size/M
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
tongpu
removed
the
size/M
github-actions
bot
added
the
size/M
tongpu
force-pushed
the
ci/add_zizmor_eaction
branch
from
f2a70bc to
e61a004
Compare
tongpu
force-pushed
the
ci/add_zizmor_eaction
branch
from
858ed78 to
659c3eb
Compare
|
Does this need some change to |
|
we might also want to consider adding this: https://github.com/zizmorcore/zizmor-pre-commit |
Adding a pre-commit action would definitely make it more transparent, but then we would end up with both the zizmor pre-commit hook and the zizmor action in the pipeline.
We could use this as a starting point to improve the documentation of the actions we're using, because right now we don't explicitly documented any of them. |
sounds like a plan, right now a lot of it is implicitly covered by us using pre-commit for linting and doxing the actions setup properly would for sure be beneficial |
| dangerous-triggers: | ||
| ignore: | ||
| # We need the pull_request_target trigger here to allow us to add labels | ||
| # to PRs. We restrict the permissions within the job to "pull-requests: write" | ||
| - .github/workflows/pr-sizing.yaml |
There was a problem hiding this comment.
I love the warning you added to .github/workflows/pr-sizing.yaml.
I think we should do some more stringent review of our usage of pull_request_target, it just doesn't feel like a it's false positive enough to ignore without further analysis. We have "Require approval for all external contributors" enabled on the repo, but zizmor makes me question if that is enough.
Do we want to do an "appsec" style review in this thread or would we prefer doing this in a new issue?
There was a problem hiding this comment.
It's definitely not a false positive, but I would assume that changing it to pull_request would require us to configure some credentials to allow the pr size action to add labels to PRs.
I'm fine with doing an appsec review in this PR, since my goal was to improve the security of this repository and I'd rather do this all in one swoop. We might want to split out the simple fixes from this PR into another one and focus on the introduction of zizmor in this one.
There was a problem hiding this comment.
While preparing #1424 I realized that the pr-sizing action is not even checking out the source code, but instead getting the number of changed lines from the files in the PR. But that doesn't actually change the security stance much, since anyone could introduce a change to the workflow that would be executed in the context of this repository.
2 participants
Description
This PR introduces zizmor to scan the security of our GitHub Actions
Issues
n/a
Checklist
artifacthub.io/changesannotation inChart.yaml, check the example in the documentation.pre-commit rundocs/