Skip to content

better security in github actions #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 17, 2025
Merged

better security in github actions #2

merged 2 commits into from
Jul 17, 2025

Conversation

glehmann
Copy link
Member

@glehmann glehmann commented Jul 16, 2025
edited
Loading

Use https://zizmor.sh to check our github actions (in a github workflow).
Fix the problems shown by zizmor.

@glehmann glehmann force-pushed the actions-hardening branch 2 times, most recently from 02fcad7 to e848b1e Compare July 16, 2025 12:52
@glehmann glehmann marked this pull request as draft July 16, 2025 12:54
@glehmann glehmann force-pushed the actions-hardening branch 3 times, most recently from 96e47d7 to 09b2535 Compare July 16, 2025 13:19
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@glehmann glehmann force-pushed the actions-hardening branch 2 times, most recently from ff97c10 to 1e1d8c7 Compare July 16, 2025 13:33
@glehmann glehmann marked this pull request as ready for review July 16, 2025 13:37
@glehmann
Better actions security
515c202 
as recommanded by zizmor

Signed-off-by: Gaëtan Lehmann <[email protected]>
@glehmann glehmann force-pushed the actions-hardening branch from 1e1d8c7 to 515c202 Compare July 16, 2025 13:39
@glehmann glehmann requested a review from Copilot July 16, 2025 13:40
Copilot
Copilot AI reviewed Jul 16, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security for GitHub Actions workflows by enforcing least-privilege defaults, disabling credential persistence, and pinning setup-uv to a specific commit.

  • Add top-level permissions: {} to lock down default GITHUB_TOKEN permissions
  • Disable credential persistence on checkout steps and pin astral-sh/setup-uv to a commit SHA
  • Introduce a new zizmor security analysis workflow with SARIF reporting

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/zizmor.yml New workflow to run zizmor and upload SARIF security findings
.github/workflows/requirements-check.yml Tighten permissions, update UV setup, combine UV install & sync
.github/workflows/format.yml Tighten permissions, update UV setup, combine UV install & sync
.github/workflows/code-checkers.yml Tighten permissions, update UV setup, combine UV install & sync
Comments suppressed due to low confidence (4)

.github/workflows/requirements-check.yml:5

  • Setting top-level permissions to an empty map removes the ability to read repository contents, which will break the actions/checkout step. Please explicitly grant contents: read either at the top level or within the job.
permissions: {}

.github/workflows/format.yml:5

  • With permissions: {} set, the checkout action cannot read the repository. Add contents: read to restore read access for actions/checkout.
permissions: {}

.github/workflows/code-checkers.yml:5

  • Removing all default permissions prevents reading code on checkout. Include contents: read so actions/checkout functions correctly.
permissions: {}

.github/workflows/requirements-check.yml:14

  • [nitpick] Consider adding an explicit name: to this step (e.g., name: Setup UV) for clearer workflow logs and better step identification.
    - uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba  # v6.3.1

@glehmann glehmann requested a review from psafont July 16, 2025 13:41
psafont
psafont reviewed Jul 16, 2025
View reviewed changes
.github/workflows/code-checkers.yml Outdated
mypy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checkout is now at version 4, they should be updated

psafont
psafont reviewed Jul 16, 2025
View reviewed changes
@glehmann glehmann mentioned this pull request Jul 16, 2025
Merged
@glehmann glehmann force-pushed the actions-hardening branch 5 times, most recently from 22fc1a3 to 9e279df Compare July 16, 2025 15:02
@glehmann
Update actions/checkout to v4
6d40602 
Signed-off-by: Gaëtan Lehmann <[email protected]>
@glehmann glehmann force-pushed the actions-hardening branch from 9e279df to 6d40602 Compare July 16, 2025 15:07
@glehmann glehmann mentioned this pull request Jul 16, 2025
Merged
@glehmann glehmann merged commit 566f14f into master Jul 17, 2025
9 checks passed
@glehmann glehmann deleted the actions-hardening branch July 17, 2025 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@psafont psafont psafont approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@glehmann @psafont