Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: harden github actions according to "zizmor" recommendations #13062

Merged
merged 1 commit into from
Dec 16, 2024

Conversation

bluetech
Copy link
Member

"zizmor" is a new tool to statically analyze github actions files for security issues. See See: https://woodruffw.github.io/zizmor/.

Fix all issues reported by zizmor 0.9.2 running locally.

@bluetech bluetech added the skip news used on prs to opt out of the changelog requirement label Dec 15, 2024
Copy link
Member

@Pierre-Sassoulas Pierre-Sassoulas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@webknjaz webknjaz added the backport 8.3.x apply to PRs at any point; backports the changes to the 8.3.x branch label Dec 16, 2024
@RonnyPfannschmidt RonnyPfannschmidt merged commit ee8f98d into main Dec 16, 2024
28 checks passed
@RonnyPfannschmidt RonnyPfannschmidt deleted the zizmor branch December 16, 2024 05:48
Copy link

patchback bot commented Dec 16, 2024

Backport to 8.3.x: 💚 backport PR created

✅ Backport PR branch: patchback/backports/8.3.x/ee8f98d2f976a1df17093eab12e00f0f3c4bee29/pr-13062

Backported as #13067

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Dec 16, 2024
Fix all issues reported by zizmor 0.9.2 running locally.

See: https://woodruffw.github.io/zizmor/
(cherry picked from commit ee8f98d)
nicoddemus pushed a commit that referenced this pull request Dec 16, 2024
Fix all issues reported by zizmor 0.9.2 running locally.

See: https://woodruffw.github.io/zizmor/
(cherry picked from commit ee8f98d)
@nicoddemus
Copy link
Member

Nice!

Should we also run zizmor itself on CI?

@bluetech
Copy link
Member Author

Running a CI security check in CI :) I suppose it can be helpful for finding unintentional weaknesses. I see there is a pre-commit hook here https://github.com/woodruffw/zizmor-pre-commit so I'll send a PR adding it.

@nicoddemus
Copy link
Member

Running a CI security check in CI :) I suppose it can be helpful for finding unintentional weaknesses. I see there is a pre-commit hook here https://github.com/woodruffw/zizmor-pre-commit so I'll send a PR adding it.

Hehehe

A pre-commit hook sounds even better!

nicoddemus pushed a commit that referenced this pull request Dec 16, 2024
…) (#13067)

Fix all issues reported by zizmor 0.9.2 running locally.

See: https://woodruffw.github.io/zizmor/
(cherry picked from commit ee8f98d)

Co-authored-by: Ran Benita <ran@unusedvar.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 8.3.x apply to PRs at any point; backports the changes to the 8.3.x branch skip news used on prs to opt out of the changelog requirement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants