Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workflow security fixes #2023

Merged
merged 3 commits into from
Dec 13, 2024
Merged

Workflow security fixes #2023

merged 3 commits into from
Dec 13, 2024

Conversation

Zeitsperre
Copy link
Collaborator

@Zeitsperre Zeitsperre commented Dec 13, 2024
edited
Loading

Pull Request Checklist:

  • This PR addresses an already opened issue (for bug fixes / features)
    • This PR fixes #xyz
  • Tests for the changes have been added (for bug fixes / features)
    • (If applicable) Documentation has been added / updated (for bug fixes / features)
  • CHANGELOG.rst has been updated (with summary of main changes)
    • Link to issue (:issue:number) and pull request (:pull:number) has been added

What kind of change does this PR introduce?

  • De-escalates the privileges of steps in workflows by restricting credentials
  • Reduces the risk of template injection in run steps
  • Simplifies the bump-my-version logic

Does this PR introduce a breaking change?

It should not.

Other information:

Changes suggested here were determined from analysis using https://github.com/woodruffw/zizmor

There are a handful of workflows that require pull_request_target triggers. This is insecure since it runs actions in the parent repo that can be influenced by configurations stemming from forks. The only way to fully secure this would be to try using reusable workflows. This would be a medium-effort task, with gains across all Ouranos repositories.

@Zeitsperre Zeitsperre self-assigned this Dec 13, 2024
@github-actions github-actions bot added the CI Automation and Contiunous Integration label Dec 13, 2024
@github-actions GitHub Actions
Copy link

Note

It appears that this Pull Request modifies the main.yml workflow.

On inspection, the XCLIM_TESTDATA_BRANCH environment variable is set to the most recent tag (v2024.8.23).

No further action is required.

@Zeitsperre Zeitsperre requested a review from aulemahal December 13, 2024 16:09
@github-actions github-actions bot added the approved Approved for additional tests label Dec 13, 2024
@Zeitsperre Zeitsperre merged commit d595c63 into main Dec 13, 2024
32 checks passed
@Zeitsperre Zeitsperre deleted the secure-workflows branch December 13, 2024 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aulemahal aulemahal aulemahal approved these changes

Assignees

@Zeitsperre Zeitsperre

Labels
approved Approved for additional tests CI Automation and Contiunous Integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Zeitsperre @aulemahal