Skip to content

Commit

Permalink
Use hashed dependencies and fix workflow permissions (#1841)
Browse files Browse the repository at this point in the history
### What kind of change does this PR introduce?

* Addresses several security issues pertaining to workflow permissions
* Simplifies the build triggers in `main.yml`
* Python3.9 preliminary test is now always run when tests are triggered
* `pip-tools` (`pip-compile`) has been run to generate the hashes now
found in `CI/requirements_ci.txt`
* A workflow bug that causes forked Pull Requests to receive duplicated
comments should now be fixed

### Does this PR introduce a breaking change?

No.

### Other information:

* What is `pip-tools`?
[Documentation](https://pip-tools.readthedocs.io/en/latest/)
This tool is used to determine the acceptable sha256 hashes for all
dependencies (and sub-dependencies) listed in `CI/requirements.in`.
Think of this as something similar to `pip freeze` or `conda lock` in
its utility. Implementing this approach should resolve several security
warnings for potential man-in-the-middle attacks.

These hashes should be managed automatically by @dependabot.
  • Loading branch information
Zeitsperre authored Jul 18, 2024
2 parents f7eb648 + 73ff38f commit e7392a7
Show file tree
Hide file tree
Showing 16 changed files with 543 additions and 64 deletions.
1 change: 0 additions & 1 deletion .github/workflows/add-to-project.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ jobs:
name: Add Issue to xclim Project
runs-on: ubuntu-latest
permissions:
contents: read
repository-projects: write
steps:
- name: Harden Runner
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/bump-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ on:
- .github/*/*.md
- .github/*/*.yml
- CHANGELOG.rst
- CI/*.in
- CI/*.txt
- Makefile
- docs/*/*.ipynb
Expand All @@ -32,7 +33,6 @@ jobs:
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
Expand Down Expand Up @@ -73,7 +73,7 @@ jobs:
echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Conditional Bump
run: |
if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/cache-cleaner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ on:

permissions:
contents: read
actions: write

jobs:
cleanup:
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/first-pull-request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ jobs:
name: Welcome
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand Down
33 changes: 18 additions & 15 deletions .github/workflows/label-on-approval.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ jobs:
(github.event.review.state == 'approved') &&
(github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand All @@ -32,7 +30,6 @@ jobs:
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Label Approved
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
Expand All @@ -51,8 +48,6 @@ jobs:
(github.event_name == 'pull_request_target') &&
(github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand All @@ -62,36 +57,44 @@ jobs:
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Find Comment
- name: Find Warning Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc
id: fc_warning
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
- name: Create Comment
- name: Update Warning Comment
if: |
(steps.fc.outputs.comment-id == '') &&
(steps.fc_warning.outputs.comment-id == '') &&
(!contains(github.event.pull_request.labels.*.name, 'approved')) &&
(github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
comment-id: ${{ steps.fc_warning.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Warning**
> [!WARNING]
> This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
edit-mode: replace
- name: Update Comment
- name: Find Note Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc_note
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: This Pull Request has been manually approved for additional testing!
- name: Update Note Comment
if: |
(steps.fc_note.outputs.comment-id == '') &&
contains(github.event.pull_request.labels.*.name, 'approved')
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
comment-id: ${{ steps.fc_note.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Note**
> This Pull Request is approved!
> [!NOTE]
> This Pull Request has been manually approved for additional testing!
reactions: |
hooray
edit-mode: append
2 changes: 0 additions & 2 deletions .github/workflows/label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@ jobs:
name: Label
runs-on: ubuntu-latest
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand Down
28 changes: 11 additions & 17 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ permissions:

jobs:
lint:
name: Black (Python${{ matrix.python-version }})
name: Lint (Python${{ matrix.python-version }})
runs-on: ubuntu-latest
if: |
((github.event_name == 'pull_request') && (github.event.action != 'labeled')) ||
(github.event.action != 'labeled') ||
(github.event.review.state == 'approved') ||
(github.event_name == 'push')
strategy:
Expand All @@ -60,7 +60,7 @@ jobs:
python-version: ${{ matrix.python-version }}
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Run pylint
run: |
python -m pylint --rcfile=.pylintrc.toml --disable=import-error --exit-zero xclim
Expand All @@ -69,16 +69,15 @@ jobs:
python -m tox -e lint
test-py39:
name: test-${{ matrix.tox-env }} (Python${{ matrix.python-version }})
name: Python${{ matrix.python-version }} (${{ matrix.tox-env }}, ${{ matrix.os }})
needs: lint
if: |
(github.event_name == 'pull_request') && !contains(github.event.pull_request.labels.*.name, 'approved')
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- tox-env: "py39" # "py39-coverage"
- tox-env: "py39"
python-version: "3.9"
os: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
Expand All @@ -100,18 +99,16 @@ jobs:
python-version: ${{ matrix.python-version }}
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Test with tox
run: |
python -m tox -e ${{ matrix.tox-env }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# COVERALLS_FLAG_NAME: run-{{ matrix.tox-env }}
# COVERALLS_SERVICE_NAME: github

test-pypi:
needs: lint
name: ${{ matrix.tox-env }} (Python${{ matrix.python-version }}, ${{ matrix.os }})
name: Python${{ matrix.python-version }} (${{ matrix.tox-env }}, ${{ matrix.os }})
if: |
contains(github.event.pull_request.labels.*.name, 'approved') ||
(github.event.review.state == 'approved') ||
Expand Down Expand Up @@ -183,7 +180,7 @@ jobs:
python-version: ${{ matrix.python-version }}
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Test with tox
run: |
python -m tox -e ${{ matrix.tox-env }} -- ${{ matrix.markers }}
Expand Down Expand Up @@ -234,11 +231,9 @@ jobs:
cache-environment: true
environment-file: environment.yml
create-args: >-
conda
python=${{ matrix.python-version }}
- name: Conda and Mamba versions
run: |
conda --version
echo "micromamba: $(micromamba --version)"
- name: Install xclim
run: |
Expand All @@ -265,7 +260,6 @@ jobs:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Report coverage
run: |
pip install --upgrade coveralls
coveralls
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -287,7 +281,7 @@ jobs:
CI/requirements_ci.txt
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Coveralls finished
run: |
python -m coveralls --finish
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
python-version: "3.x"
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Build a binary wheel and a source tarball
run: |
python -m flit build
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/tag-testpypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
python-version: "3.x"
- name: Install CI libraries
run: |
python -m pip install -r CI/requirements_ci.txt
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Build a binary wheel and a source tarball
run: |
python -m flit build
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/testdata-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ jobs:
if: |
(github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)
permissions:
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand Down Expand Up @@ -66,7 +65,7 @@ jobs:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Warning**
> [!WARNING]
> It appears that this Pull Request modifies the `main.yml` workflow.
On inspection, it seems that the `XCLIM_TESTDATA_BRANCH` environment variable is set to a tag that is not the latest in the `Ouranosinc/xclim-testdata` repository.
Expand All @@ -82,7 +81,7 @@ jobs:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Note**
> [!NOTE]
> It appears that this Pull Request modifies the `main.yml` workflow.
On inspection, the `XCLIM_TESTDATA_BRANCH` environment variable is set to the most recent tag (`${{ env.XCLIM_TESTDATA_TAG }}`).
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/upstream.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ jobs:
echo "micromamba: $(micromamba --version)"
- name: Install upstream versions and SBCK
run: |
python -m pip install -r CI/requirements_upstream.txt
python -m pip install --require-hashes -r CI/requirements_upstream.txt
python -m pip install "sbck @ git+https://github.com/yrobink/SBCK-python.git@master"
- name: Install xclim
run: |
Expand Down
25 changes: 16 additions & 9 deletions .github/workflows/workflow-warning.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,38 +32,45 @@ jobs:
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Find Comment
- name: Find Warning Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc
id: fc_warning
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: |
This Pull Request modifies GitHub workflows and is coming from a fork.
- name: Create Comment
- name: Create Warning Comment
if: |
(steps.fc.outputs.comment-id == '') &&
(steps.fc_warning.outputs.comment-id == '') &&
(!contains(github.event.pull_request.labels.*.name, 'approved')) &&
(github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
comment-id: ${{ steps.fc_warning.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Warning**
> [!WARNING]
> This Pull Request modifies GitHub Workflows and is coming from a fork.
**It is very important for the reviewer to ensure that the workflow changes are appropriate.**
edit-mode: replace
- name: Find Note Comment
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
id: fc_note
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Workflow changes in this Pull Request have been approved!
- name: Update Comment
if: |
contains(github.event.pull_request.labels.*.name, 'approved')
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
comment-id: ${{ steps.fc_note.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
> **Note**
> Changes have been approved by a maintainer.
> [!NOTE]
> Workflow changes in this Pull Request have been approved!
reactions: |
hooray
edit-mode: append
7 changes: 6 additions & 1 deletion CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,17 @@ Changelog

v0.52.0 (unreleased)
--------------------
Contributors to this version: David Huard (:user:`huard`).
Contributors to this version: David Huard (:user:`huard`), Trevor James Smith (:user:`Zeitsperre`).

Internal changes
^^^^^^^^^^^^^^^^
* Changed french translation of "wet days" from "jours mouillés" to "jours pluvieux". (:issue:`1825`, :pull:`1826`).

CI changes
^^^^^^^^^^
* `pip-tools` (`pip-compile`) has been used to generate a lock file with hashes for the CI dependencies. (:pull:`1841`).
* The ``main.yml`` workflow has been updated to use simpler trigger logic. (:pull:`1841`).
* A workflow bug has been fixed that was causing multiple duplicate comments to be made on Pull Requests originating from forks. (:pull:`1841`).

v0.51.0 (2024-07-04)
--------------------
Expand Down
8 changes: 8 additions & 0 deletions CI/requirements_ci.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
bump-my-version==0.24.2
coveralls==4.0.1
deptry==0.16.2
flit==3.9.0
pip==24.1.2
pylint==3.2.5
tox==4.16.0
tox-gh==1.3.2
Loading

0 comments on commit e7392a7

Please sign in to comment.