Skip to content

Update security pipeline and permissions (infra) #1769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Hook25 merged 9 commits into from
Mar 6, 2025
Merged

Update security pipeline and permissions (infra) #1769

Hook25 merged 9 commits into from
Mar 6, 2025

Conversation

@Hook25
Copy link
Collaborator

@Hook25 Hook25 commented Mar 4, 2025

Description

Updating our security scanning tool zizmor to 1.4.1 I discovered a few new warnings that it finds. The following updates the tool and fixes all the warnings.

This may break a few pipelines, but we can fix them once we find them, the GH documentation about permissions is very bad and unclear about what each thing needs.

Resolved issues

Fixes: CHECKBOX-1774

Documentation

N/A

Tests

N/A

@Hook25 Hook25 requested review from a team as code owners March 4, 2025 13:28
@Hook25 Hook25 force-pushed the update_security_pipeline branch from 2c9ea6b to ae7a9fc Compare March 4, 2025 13:32
@Hook25 Hook25 force-pushed the update_security_pipeline branch from ae7a9fc to 7f07a79 Compare March 4, 2025 13:34
pieqq
pieqq approved these changes Mar 6, 2025
View reviewed changes
Copy link
Collaborator

@pieqq pieqq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty hard to test as is, let's land it and see what breaks, as you said.

@Hook25 Hook25 merged commit a18eb05 into main Mar 6, 2025
9 checks passed
@Hook25 Hook25 deleted the update_security_pipeline branch March 6, 2025 10:17
stanley31huang pushed a commit that referenced this pull request Mar 28, 2025
@Hook25 @stanley31huang
Update security pipeline and permissions (infra) (#1769)
9fcb55f 
* Update to zizmor latest

* Add workflow permission contents: read to all workflows

* Propagate secrets explicitly

* Also inherit credentials for ce-oem

* Fine grained validate_workflow access

* Also set permissions for testlinger workflow

* Also give access to actions beta release pipeline

* Give additional access to actions

* Move the permission to a workflow level
mreed8855 pushed a commit that referenced this pull request Jul 31, 2025
@Hook25 @mreed8855
Update security pipeline and permissions (infra) (#1769)
a63d00a 
* Update to zizmor latest

* Add workflow permission contents: read to all workflows

* Propagate secrets explicitly

* Also inherit credentials for ce-oem

* Fine grained validate_workflow access

* Also set permissions for testlinger workflow

* Also give access to actions beta release pipeline

* Give additional access to actions

* Move the permission to a workflow level
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pieqq pieqq pieqq approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hook25 @pieqq