Add zizmor for CI (security) linting (#2288)

To add a bit of a safety net to our CI jobs it might make sense to add a CI security linting tool such as zizmor.

The linting run should be green at the moment since I fixed all reported issues:

- setting persist-credentials: false in all checkout runs
- changing template substitutions to environment variable substitutions

I added an ignore rule for dangerous-triggers to ignore the upload_pr_to_documentation workflow as our actions are configured to only run such steps on approval which should already have seen at least maintainer eyes and the zizmor run.

.github/workflows/build_docker_images.yml

@@ -23,6 +23,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Login to DockerHub
         uses: docker/login-action@v2
         with:
@@ -54,6 +56,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -85,6 +89,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -116,6 +122,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -147,6 +155,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:

.github/workflows/integrations_tests.yml

@@ -19,6 +19,7 @@ jobs:
         with:
           ref: ${{ github.event.inputs.branch }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
@@ -27,8 +28,8 @@ jobs:
           cache-dependency-path: "setup.py"
       - name: print environment variables
         run: |
-          echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}"
-          echo "env.CI_SHA = ${{ env.CI_SHA }}"
+          echo "env.CI_BRANCH = ${CI_BRANCH}"
+          echo "env.CI_SHA = ${CI_SHA}"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -55,6 +56,7 @@ jobs:
         with:
           ref: ${{ github.event.inputs.branch }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
@@ -63,13 +65,13 @@ jobs:
           cache-dependency-path: "setup.py"
       - name: print environment variables
         run: |
-          echo "env.CI_BRANCH = ${{ env.CI_BRANCH }}"
-          echo "env.CI_SHA = ${{ env.CI_SHA }}"
+          echo "env.CI_BRANCH = ${CI_BRANCH}"
+          echo "env.CI_SHA = ${CI_SHA}"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           python -m pip install .[test]
-          
+
           if [ "${{ matrix.diffusers-version }}" == "main" ]; then
               pip install -U git+https://github.com/huggingface/diffusers.git
           else

.github/workflows/nightly-bnb.yml

@@ -33,6 +33,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Pip install
         run: |
           source activate peft
@@ -156,6 +158,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Pip install
         run: |
           source activate peft

.github/workflows/nightly.yml

@@ -30,6 +30,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Pip install
         run: |
           source activate peft
@@ -78,6 +80,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Pip install
         run: |
           source activate peft

.github/workflows/stale.yml

@@ -16,6 +16,8 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
     - uses: actions/checkout@v3
+      with:
+        persist-credentials: false
 
     - name: Setup Python
       uses: actions/setup-python@v4

.github/workflows/test-docker-build.yml

@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@1c8e6069583811afb28f97afeaf8e7da80c6be5c #v42
@@ -26,7 +28,7 @@ jobs:
         env:
           ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
         run: |
-          echo "matrix=${{ steps.changed-files.outputs.all_changed_files}}" >> $GITHUB_OUTPUT
+          echo "matrix=${ALL_CHANGED_FILES}" >> $GITHUB_OUTPUT
   build_modified_files:
     needs: get_changed_files
     name: Build Docker images on modified files
@@ -51,6 +53,8 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Check out code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Build Docker image
         uses: docker/build-push-action@v4
         with:

.github/workflows/tests-main.yml

@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:

.github/workflows/tests.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
@@ -39,6 +41,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v4
         with:

.github/workflows/torch_compile_tests.yml

@@ -25,6 +25,7 @@ jobs:
       PEFT_DEBUG_WITH_TORCH_COMPILE: 1
       CUDA_VISIBLE_DEVICES: "0"
       TEST_TYPE: "single_gpu_huggingface/peft-gpu-bnb-latest:latest"
+      USE_PYTORCH_NIGHTLY: "${{ github.event.inputs.pytorch_nightly }}"
     container:
       image: "huggingface/peft-gpu-bnb-latest:latest"
       options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/
@@ -36,13 +37,14 @@ jobs:
         with:
           ref: ${{ github.event.inputs.branch }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
       - name: Pip install
         run: |
           source activate peft
           pip install -e . --no-deps
           pip install pytest-cov pytest-reportlog parameterized datasets scipy einops
           pip install "pytest>=7.2.0,<8.0.0" # see: https://github.com/huggingface/transformers/blob/ce4fff0be7f6464d713f7ac3e0bbaafbc6959ae5/setup.py#L148C6-L148C26
-          if [ "${{ github.event.inputs.pytorch_nightly }}" = "true" ]; then
+          if [ "${USE_PYTORCH_NIGHTLY}" = "true" ]; then
             python -m pip install --upgrade --pre torch --index-url https://download.pytorch.org/whl/nightly/cpu
           fi
       - name: Test compile with pytest

.github/workflows/trufflehog.yml

@@ -11,5 +11,6 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Secret Scanning
       uses: trufflesecurity/trufflehog@main

.github/workflows/upload_pr_documentation.yml

@@ -13,4 +13,4 @@ jobs:
       package_name: peft
     secrets:
       hf_token: ${{ secrets.HF_DOC_BUILD_PUSH }}
-      comment_bot_token: ${{ secrets.COMMENT_BOT_TOKEN }}
+      comment_bot_token: ${{ secrets.COMMENT_BOT_TOKEN }}

.github/workflows/zizmor.yaml

@@ -0,0 +1,28 @@
+name: CI security linting
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - '.github/**'
+  pull_request:
+    branches: ["*"]
+    paths:
+      - '.github/**'
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install zizmor
+        run: cargo install zizmor
+      - name: Run zizmor
+        run: zizmor .github/workflows

.github/zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  dangerous-triggers:
+    ignore:
+      # this workflow is only triggered after maintainer approval
+      - upload_pr_documentation.yml:3:1