Harden GitHub Actions workflow #1122
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1122 +/- ##
=======================================
Coverage 89.93% 89.93%
=======================================
Files 2 2
Lines 447 447
Branches 53 53
=======================================
Hits 402 402
Misses 30 30
Partials 15 15 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Decide whether the needed jobs succeeded or failed | ||
| uses: re-actors/alls-green@release/v1 | ||
| uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 |
There was a problem hiding this comment.
It's possible to configure certain actions as trusted if you want.
| check: | ||
| name: Check | ||
| if: always() | ||
| needs: [lint, test] | ||
| needs: [lint, lint-github-actions, test] |
There was a problem hiding this comment.
Not sure if this is necessary — that workflow will always succeed. It reports the violations into the GH security UI instead. Do you think it makes sense to wait for it?
| @@ -195,7 +213,7 @@ jobs: | |||
| name: release-notes.md | |||
| path: release-notes.md | |||
| - name: GitHub Release | |||
| uses: ncipollo/release-action@v1 | |||
| uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0 | |||
There was a problem hiding this comment.
Not sure if it's wise to give this action OIDC privileges..
| @@ -174,6 +190,8 @@ jobs: | |||
| if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') | |||
| needs: [lint, check, prepare-release-notes] | |||
| runs-on: ubuntu-latest | |||
| permissions: | |||
| id-token: write | |||
There was a problem hiding this comment.
If you're adding this, also remove password from the pypi-publish action..
seifertm
force-pushed
the
harden-gh-actions-workflow
branch
from
2615ff6 to
60cd123
Compare
This PR introduces zizmor for linting GitHub Actions Workflows and addresses all of its findings.
Zizmor is used both as a pre-commit hook and a separate job in the pipeline. This is due to the fact that some analyses require a GitHub token, which not all developers may have readily available.