From 773843938c18826fa07b8200f224ad9a41e6f62a Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Thu, 31 Oct 2024 09:41:26 -0400 Subject: [PATCH] chore(ci): address overly broad permissions scopes (#16996) --- .github/workflows/ci.yml | 13 +++++++++- .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/combine-prs.yml | 13 +++++----- .github/workflows/dev-env-test.yml | 2 ++ .github/workflows/node-ci.yml | 2 ++ .github/workflows/zizmor.yml | 37 +++++++++++++++++++++++++++ 6 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 78a9d6bc55c3..6cc36d8b2ba4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,6 @@ on: types: [checks_requested] workflow_dispatch: # generally only for the "combine-prs" workflow permissions: - id-token: write contents: read concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} @@ -19,9 +18,13 @@ jobs: runs-on: depot-ubuntu-22.04-arm outputs: buildId: ${{ steps.build.outputs.build-id}} + permissions: + id-token: write steps: - name: Check out repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Depot CLI uses: depot/setup-action@v1 - name: Build image @@ -59,6 +62,8 @@ jobs: image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }} env: BILLING_BACKEND: warehouse.subscriptions.services.MockStripeBillingService api_base=http://stripe:12111 api_version=2020-08-27 + permissions: + id-token: write services: postgres: image: ${{ (matrix.name == 'Tests') && 'postgres:16.1' || '' }} @@ -81,6 +86,8 @@ jobs: steps: - name: Check out repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache mypy results if: ${{ (matrix.name == 'Lint') }} uses: actions/cache@v4 @@ -98,6 +105,8 @@ jobs: continue-on-error: true container: image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }} + permissions: + id-token: write services: postgres: image: postgres:16.1 @@ -112,6 +121,8 @@ jobs: steps: - name: Check out repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Dotenv Action # We need to load the environment variables to run the CLI id: dotenv diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c41dccd8065..3c05c5600789 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python if: matrix.language == 'python' diff --git a/.github/workflows/combine-prs.yml b/.github/workflows/combine-prs.yml index 8fd9e2bceb11..789845b82761 100644 --- a/.github/workflows/combine-prs.yml +++ b/.github/workflows/combine-prs.yml @@ -11,17 +11,16 @@ on: required: true default: 'blocked' -# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token -permissions: - contents: write - pull-requests: write - checks: read - actions: write - # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "combine-prs" combine-prs: + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token + permissions: + contents: write + pull-requests: write + checks: read + actions: write # The type of runner that the job will run on runs-on: ubuntu-latest diff --git a/.github/workflows/dev-env-test.yml b/.github/workflows/dev-env-test.yml index 4c3f1a71c826..ed91d5509349 100644 --- a/.github/workflows/dev-env-test.yml +++ b/.github/workflows/dev-env-test.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - run: make build - run: docker compose up -d - run: docker compose ps diff --git a/.github/workflows/node-ci.yml b/.github/workflows/node-ci.yml index d59d70bab4fb..07bc9da7444b 100644 --- a/.github/workflows/node-ci.yml +++ b/.github/workflows/node-ci.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Check out repository uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-node@v4 with: node-version: 23.1.0 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..08294a4a75a4 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +# https://github.com/woodruffw/zizmor +name: GitHub Actions Security Analysis with Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +permissions: + contents: read + +jobs: + zizmor: + name: Zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor