workflows: some zizmor issues fixes #2641
Conversation
zizmor flags that code checkout with persist credentials is a security risk. Default behavior of actions/checkout is to always persist so zizmor has complained about that in a lot of our workflows. We don't need to persist the credentials, hence, explicitly setting `persist-credentials: false` in all workflows that checkout code. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
Fix a lot of template injection issues flagged by zizmor on the github workflows. The fix pattern is to export the input/matrix/secret/var in form of environment variables for the scripts. Assisted-by: `zizmor --fix` and Cursor Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
|
@mkulke the azure-e2e-test workflow is almost completely free of template injection issues. I ran out of energy to fix the one related with the calls to @stevenhorsman @ldoktor please reviews :) |
Hey @wainersm, where did you see the zizmor warnings/errors? zizmor in the CI seems to be content w/ the workflows, see here. Are our settings too relaxed? If so, we probably should adjust them also in this PR? Looking at the changes. I'm not sure what template injection issues are being addressed. Usually an injection can happen if you parse untrusted strings, and when you do this (in our current configuration) zizmor complains about, which is good. strings that are in github.secrets/vars are usually not untrusted, they are controlled by the repo owner (and zizmor can tell the difference), but well, you can argue... however e.g. this is not about injection at all: 
The string is expanded within the yaml somewhere at github, there is nothing that would be injected from either trusted or untrusted sources. So, I'm on the fence, if this is considered good practice nowadays, let's do it. But in any case, this should be enforced by the CI. |
Hi @mkulke ! I ran The report that you pointed here is green but it generated a report. I think it will only raise a fail if the changes in the PR touches a block of code that contains a warning. In other words, our zizmor workflow is configured to catch new issues on the code base.
Sorry I didn't share the actual rule: https://docs.zizmor.sh/audits/#template-injection I'm addressing. Basically zizmor complains any use of It complains even when it is read values from repo owner controlled variables, for example,
This is the warning about jitter can be found in the same report that you shared above, in https://github.com/confidential-containers/cloud-api-adaptor/actions/runs/18603338548/job/53046857607#step:3:2852
I see some options:
IMO, we should pursue (2) but sometimes it's easier to just fix everything (3) (although you increase chances of breaking workflows...) I can split this PR in two if that helps. At begin I wanted to address the persist-credentials warnings as I discussed with @ldoktor and @stevenhorsman in #2607 (comment) , which the first commit, but then I think I got too happy because it was Friday and started fixing the warnings about the template stuff :) |
thx for explaining, @wainersm. yeah it probably makes sense to split the commit: I'm not sure we have to use -pedantic, If we run zizmor with the default, the injections problems are still caught: there are already a lot of findings with the default setting maybe it makes sense if we fix those and then it would match the settings that we enforce in the CI. |
|
I can do the azure workflow files (I'll open a separate PR) |
stevenhorsman
left a comment
stevenhorsman
left a comment
There was a problem hiding this comment.
The changes look okay to me, but impact the workflows, so any chance we can run what we can as an upstream branch to check them before merging?
| fi | ||
| env: | ||
| IMAGE_TAGS: ${{ inputs.image_tags }} | ||
| REGISTRY: ${{ inputs.registry }} No newline at end of file |
There was a problem hiding this comment.
Can we get the new line back?
|
action lint is also unhappy with some of the changes |
| AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }} | ||
| run: | | ||
| NODE_RG="$(az aks show -g ${{ vars.AZURE_RESOURCE_GROUP }} -n "$CLUSTER_NAME" --query nodeResourceGroup -o tsv)" | ||
| NODE_RG="$(az aks show -g ${AZURE_RESOURCE_GROUP} -n "$CLUSTER_NAME" --query nodeResourceGroup -o tsv)" |
There was a problem hiding this comment.
There is an unrelated previously existing inconsistency in $CLUSTER_NAME -> ${CLUSTER_NAME}. Could you address that as a new commit (or do we not care?)
| - name: Create peerpod subnet | ||
| env: | ||
| AZURE_LOCATION: ${{ matrix.parameters.location }} | ||
| AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }} |
There was a problem hiding this comment.
The AZURE_RESOURCE_GROUP repeats quite often, wouldn't it be better to move it to workflow env?
| fi | ||
| make build | ||
| env: | ||
| RELEASE_BUILD: ${{ matrix.type == 'release' && true || false }} |
There was a problem hiding this comment.
This should work (according to AI) but wouldn't it be safer to quote the "true" and "false" since we expect string? IMO it'd be more explicit.
There was a problem hiding this comment.
Overall looks good, thanks for the separation and nice commit descriptions :-). I left a few little notes, but only the @stevenhorsman's extra line and shellcheck/gha workflow issues seem important (perhaps even the true->"true" but not super important).
There are quite a few changes so it'd indeed be nice to commit it to a new tag to get full ci execution before merging (although git revert works as well ;-) )
| dev_tags=${{ inputs.dev_tags }} | ||
| release_tags=${{ inputs.release_tags }} | ||
| dev_tags=${DEV_TAGS} | ||
| release_tags=${RELEASE_TAGS} |
There was a problem hiding this comment.
The shellcheck is right, there are several places lacking quotation like here...
4 participants
persist-credentials: falseRan "daily e2e test" in https://github.com/wainersm/cc-cloud-api-adaptor/actions/runs/18598214127 and apparently not issues caused by these changes.