Skip to content

Harden GitHub Actions workflow #1122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Harden GitHub Actions workflow #1122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
43ac931
ci: Pin third-party actions to a commit hash.
seifertm May 15, 2025
3ad2311
ci: Avoid persisting credentials in the checkout action.
seifertm May 15, 2025
65841d2
ci: Narrow permissions of Github Actions.
seifertm May 15, 2025
197c6ad
ci: Silence zizmore warning about not using trusted publishing.
seifertm May 15, 2025
f2454e8
ci: Avoid template expression in Bash script for assembling release n…
seifertm May 15, 2025
eb2c785
build: Add zizmor to the pre-commit hooks.
seifertm May 15, 2025
60cd123
ci: Add linting job with GitHub Actions with zizmor.
seifertm May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 24 additions & 6 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ on:
merge_group:
workflow_dispatch:

permissions: {}

env:
PYTHON_LATEST: 3.13

Expand All @@ -24,6 +26,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_LATEST }}
Expand Down Expand Up @@ -75,6 +78,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
Expand All @@ -95,17 +100,25 @@ jobs:
path: coverage/coverage.*
if-no-files-found: error

lint-github-actions:
name: Lint GitHub Actions
permissions:
security-events: write
uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@1ae473d8672fe7613e809d86d202a35063736e16

check:
name: Check
if: always()
needs: [lint, test]
needs: [lint, lint-github-actions, test]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this is necessary — that workflow will always succeed. It reports the violations into the GH security UI instead. Do you think it makes sense to wait for it?

runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's possible to configure certain actions as trusted if you want.

with:
jobs: ${{ toJSON(needs) }}
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_LATEST }}
Expand All @@ -124,7 +137,7 @@ jobs:
coverage combine
coverage xml
- name: Upload coverage report
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
with:
files: coverage.xml
fail_ci_if_error: true
Expand All @@ -139,6 +152,7 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Install Python
uses: actions/setup-python@v5
- name: Install towncrier
Expand All @@ -150,7 +164,9 @@ jobs:
run: pip install .
- name: Compile Release Notes Draft
if: ${{ !contains(github.ref, 'refs/tags/') }}
run: towncrier build --draft --version "${{ needs.lint.outputs.version }}" > release-notes.rst
run: towncrier build --draft --version "${version}" > release-notes.rst
env:
version: ${{ needs.lint.outputs.version }}
- name: Extract release notes from Git tag
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
run: |
Expand All @@ -174,6 +190,8 @@ jobs:
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
needs: [lint, check, prepare-release-notes]
runs-on: ubuntu-latest
permissions:
id-token: write
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're adding this, also remove password from the pypi-publish action..

steps:
- name: Download distributions
uses: actions/download-artifact@v4
Expand All @@ -184,7 +202,7 @@ jobs:
run: |
tree dist
- name: PyPI upload
uses: pypa/[email protected]
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 # zizmor: ignore[use-trusted-publishing] # see #700
with:
attestations: true
packages-dir: dist
Expand All @@ -195,7 +213,7 @@ jobs:
name: release-notes.md
path: release-notes.md
- name: GitHub Release
uses: ncipollo/release-action@v1
uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if it's wise to give this action OIDC privileges..

with:
name: pytest-asyncio ${{ needs.lint.outputs.version }}
artifacts: dist/*
Expand Down
4 changes: 4 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ repos:
- id: pyproject-fmt
# https://pyproject-fmt.readthedocs.io/en/latest/#calculating-max-supported-python-version
additional_dependencies: [tox>=4.9]
- repo: https://github.com/zizmorcore/zizmor-pre-commit
rev: v1.7.0
hooks:
- id: zizmor
ci:
skip:
- actionlint-docker
Expand Down
Loading