From b329515933915fd077495ea41de876119ac04c97 Mon Sep 17 00:00:00 2001 From: Eric Larson Date: Tue, 10 Dec 2024 18:30:51 -0500 Subject: [PATCH] MAINT: Audit CIs using zizmor (#13011) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Thomas Grainger --- .github/workflows/autofix.yml | 2 ++ .github/workflows/codeql-analysis.yml | 8 +++++--- .github/workflows/credit.yml | 11 ++++++----- .github/workflows/release.yml | 2 ++ .github/workflows/tests.yml | 3 +++ .pre-commit-config.yaml | 5 +++++ doc/changes/devel/13011.other.rst | 1 + 7 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 doc/changes/devel/13011.other.rst diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml index 5214c911317..d8a99200783 100644 --- a/.github/workflows/autofix.yml +++ b/.github/workflows/autofix.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7f348f80778..35a0d8fdc1a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL @@ -48,11 +50,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -61,7 +63,7 @@ jobs: # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. + # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | diff --git a/.github/workflows/credit.yml b/.github/workflows/credit.yml index 96ab7544034..8a6ab293cab 100644 --- a/.github/workflows/credit.yml +++ b/.github/workflows/credit.yml @@ -6,12 +6,11 @@ on: # yamllint disable-line rule:truthy - cron: '0 0 1 * *' # At 00:00 on day-of-month 1 workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: update_credit: + permissions: + contents: write + pull-requests: write name: Update runs-on: ubuntu-latest env: @@ -19,6 +18,8 @@ jobs: GITHUB_TOKEN: ${{ github.token }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' @@ -39,6 +40,6 @@ jobs: git checkout -b credit git commit -am "MAINT: Update code credit [ci skip]" git push origin credit - PR_NUM=$(gh pr create --base main --head credit --title "MAINT: Update code credit" --body "Created by \"${{ github.workflow }}\" GitHub action." --label "no-changelog-entry-needed") + PR_NUM=$(gh pr create --base main --head credit --title "MAINT: Update code credit" --body "Created by credit GitHub action." --label "no-changelog-entry-needed") echo "Opened https://github.com/mne-tools/mne-python/pull/${PR_NUM}" >> $GITHUB_STEP_SUMMARY if: steps.status.outputs.dirty == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a004ff9ea21..90c83c8130a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.10' diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f0c9da989b3..40053f086cc 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -18,6 +18,8 @@ jobs: timeout-minutes: 3 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: '3.12' @@ -81,6 +83,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - run: ./tools/github_actions_env_vars.sh # Xvfb/OpenGL - uses: pyvista/setup-headless-display-action@v3 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e08742406c7..e11e392ae25 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -80,6 +80,11 @@ repos: files: pyproject.toml additional_dependencies: ["mne"] + # zizmor + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v0.8.0 + hooks: + - id: zizmor # these should *not* be run on CIs: ci: diff --git a/doc/changes/devel/13011.other.rst b/doc/changes/devel/13011.other.rst new file mode 100644 index 00000000000..ad66c0cf223 --- /dev/null +++ b/doc/changes/devel/13011.other.rst @@ -0,0 +1 @@ +Repository CI security is now audited using `zizmor `__, by `Eric Larson`_. \ No newline at end of file