Skip to content

Commit

Permalink
Workflow security fixes (#2023)
Browse files Browse the repository at this point in the history
### What kind of change does this PR introduce?

* De-escalates the privileges of steps in workflows by restricting
credentials
* Reduces the risk of template injection in `run` steps
* Simplifies the `bump-my-version` logic

### Does this PR introduce a breaking change?

It should not.

### Other information:

Changes suggested here were determined from analysis using
https://github.com/woodruffw/zizmor
  • Loading branch information
Zeitsperre authored Dec 13, 2024
2 parents 226c60e + 78e972e commit d595c63
Show file tree
Hide file tree
Showing 12 changed files with 57 additions and 21 deletions.
18 changes: 7 additions & 11 deletions .github/workflows/bump-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ on:
- main
paths-ignore:
- .*
- .github/*/*.md
- .github/*/*.yml
- .github/*.md
- .github/*.yml
- .github/*/*.md
- .github/*/*.yml
- CHANGELOG.rst
- CI/*.in
- CI/*.txt
Expand Down Expand Up @@ -56,6 +56,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ steps.token_generator.outputs.token }}
persist-credentials: false
- name: Set up Python3
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
Expand All @@ -68,28 +69,23 @@ jobs:
git_user_signingkey: true
git_commit_gpgsign: true
trust_level: 5
- name: Current Version
run: |
CURRENT_VERSION="$(grep -E '__version__' src/xclim/__init__.py | cut -d ' ' -f3)"
echo "current_version=${CURRENT_VERSION}"
echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
- name: Install CI libraries
run: |
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Conditional Bump
run: |
if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
CURRENT_VERSION=$(bump-my-version show current_version)
if [[ ${CURRENT_VERSION} =~ -dev(\.\d+)? ]]; then
echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
bump-my-version bump build
else
echo "Version is stable, bumping 'patch' version"
bump-my-version bump patch
fi
NEW_VERSION="$(grep -E '__version__' src/xclim/__init__.py | cut -d ' ' -f3)"
echo "new_version=${NEW_VERSION}"
echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
echo "new_version=$(bump-my-version show current_version)"
- name: Push Changes
uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
with:
force: false
branch: ${{ github.ref }}
github_token: '${{ token_generator.outputs.token }}'
2 changes: 2 additions & 0 deletions .github/workflows/cache-cleaner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Cleanup
run: |
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,17 @@ on:
branches:
- main
paths-ignore:
- .github/*/*.yml
- .pre-commit-config.yaml
- CHANGELOG.rst
- CI/*.txt
- Makefile
- pyproject.toml
- tox.ini
- src/xclim/__init__.py
- docs/*/*.ipynb
- docs/*/*.py
- docs/*/*.rst
- .github/*/*.yml
- .pre-commit-config.yaml
- pyproject.toml
- src/xclim/__init__.py
- tox.ini
pull_request:
branches:
- main
Expand Down Expand Up @@ -51,14 +51,20 @@ jobs:
objects.githubusercontent.com:443
pypi.org:443
uploads.github.com:443
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@1245696032ecf7d39f87d54daa406e22ddf769a8
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@1245696032ecf7d39f87d54daa406e22ddf769a8

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@1245696032ecf7d39f87d54daa406e22ddf769a8
2 changes: 2 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ jobs:

- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Dependency Review
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ jobs:
continue-on-error: true
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python3
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
Expand Down Expand Up @@ -138,6 +140,8 @@ jobs:
continue-on-error: true
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python${{ matrix.python-version }}
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
Expand Down Expand Up @@ -263,6 +267,8 @@ jobs:
continue-on-error: true
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install Eigen3 (SBCK)
if: ${{ matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest' }}
run: |
Expand Down Expand Up @@ -367,6 +373,8 @@ jobs:
continue-on-error: true
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2
with:
Expand Down
11 changes: 9 additions & 2 deletions .github/workflows/publish-mastodon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,14 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Get Release Description
run: |
# Fetch the release information using the GitHub API
RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
"https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ github.event.release.tag_name }}")
"https://api.github.com/repos/${{ github.repository }}/releases/tags/${TAG_NAME}")
# Extract the release description from the response
RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body)
Expand All @@ -43,6 +45,8 @@ jobs:
CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1)
echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV
env:
TAG_NAME: ${{ github.event.release.tag_name }}

- name: Prepare Message
id: render_template
Expand All @@ -55,7 +59,10 @@ jobs:
- name: Message Preview
run: |
echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
echo "${TEMPLATE}${CONTRIBUTORS}"
env:
TEMPLATE: ${{ steps.render_template.outputs.result }}
CONTRIBUTORS: ${{ env.contributors }}

- name: Send toot to Mastodon
uses: cbrgm/mastodon-github-action@50b70e53ab0871a90fe364ff96e783c7e3633f15 # v2.1.11
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ jobs:
upload.pypi.org:443
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python3
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ on:
- main

# Declare default permissions as read only.
permissions: read-all
# Read-all permission is not technically needed for this workflow.
permissions:
contents: read

jobs:
analysis:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/tag-testpypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ jobs:
test.pypi.org:443
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Set up Python3
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/testdata-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ jobs:
github.com:443
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Find xclim-testdata Tag and CI Testing Branch
run: |
XCLIM_TESTDATA_TAG="$( \
Expand All @@ -43,8 +45,11 @@ jobs:
echo "XCLIM_TESTDATA_BRANCH=${XCLIM_TESTDATA_BRANCH}" >> $GITHUB_ENV
- name: Report Versions Found
run: |
echo "Latest xclim-testdata tag: ${{ env.XCLIM_TESTDATA_TAG }}"
echo "Tag for xclim-testdata in CI: ${{ env.XCLIM_TESTDATA_BRANCH }}"
echo "Latest xclim-testdata tag: ${XCLIM_TESTDATA_TAG}"
echo "Tag for xclim-testdata in CI: ${XCLIM_TESTDATA_BRANCH}"
env:
XCLIM_TESTDATA_TAG: ${{ env.XCLIM_TESTDATA_TAG }}
XCLIM_TESTDATA_BRANCH: ${{ env.XCLIM_TESTDATA_BRANCH }}
- name: Find Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/upstream.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2
with:
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ Internal changes
CI changes
^^^^^^^^^^
* Added the `green-coding-solutions/eco-ci-energy-estimation` GitHub Action to the workflows to establish energy and carbon usage of CI activity. (:pull:`1863`).
* Various workflow security fixes: (:pull:`2023`)
* Simplified the `bump-version.yml` version string parsing to harden against template injection.
* Further de-escalated privileges for most workflows.

New features and enhancements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Expand Down

0 comments on commit d595c63

Please sign in to comment.