Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply security fixes to GitHub Actions #8526

Merged
merged 2 commits into from
Nov 4, 2024
Merged

Apply security fixes to GitHub Actions #8526

merged 2 commits into from
Nov 4, 2024

Conversation

hugovk
Copy link
Member

@hugovk hugovk commented Nov 2, 2024

There's a new tool that flags potential security issues in GitHub Actions workflows: https://github.com/woodruffw/zizmor

Details 
zizmor .
🌈 completed cifuzz.yml
🌈 completed release-drafter.yml
🌈 completed stale.yml
🌈 completed docs.yml
🌈 completed test-valgrind.yml
🌈 completed test-windows.yml
🌈 completed test-mingw.yml
🌈 completed test-docker.yml
🌈 completed lint.yml
🌈 completed test.yml
🌈 completed test-cygwin.yml
🌈 completed wheels.yml
error[excessive-permissions]: overly broad workflow or job-level permissions
 --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
  |
8 | / permissions:
9 | |   issues: write
  | |_______________^ issues: write is overly broad at the workflow level
  |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/docs.yml:35:7
   |
35 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-valgrind.yml:42:7
   |
42 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:45:7
   |
45 |       - name: Checkout Pillow
   |  _______-
46 | |       uses: actions/checkout@v4
   | |_______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:48:7
   |
48 |       - name: Checkout cached dependencies
   |  _______-
49 | |       uses: actions/checkout@v4
50 | |       with:
51 | |         repository: python-pillow/pillow-depends
52 | |         path: winbuild\depends
   | |______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:54:7
   |
54 |       - name: Checkout extra test images
   |  _______-
55 | |       uses: actions/checkout@v4
...  |
59 | |
60 | |     # sets env: pythonLocation
   | |______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-mingw.yml:47:9
   |
47 |         - name: Checkout Pillow
   |  _________-
48 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-docker.yml:67:7
   |
67 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/lint.yml:23:7
   |
23 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test.yml:65:7
   |
65 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-cygwin.yml:49:9
   |
49 |         - name: Checkout Pillow
   |  _________-
50 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:62:9
   |
62 |         - uses: actions/checkout@v4
   |  _________-
63 | |         with:
64 | |           submodules: true
   | |__________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:255:7
    |
255 |     - uses: actions/checkout@v4
    |       ------------------------- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:133:9
    |
133 |         - uses: actions/checkout@v4
    |  _________-
134 | |         with:
135 | |           submodules: true
    | |__________________________- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:175:9
    |
175 |       - uses: actions/checkout@v4
    |         ------------------------- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:177:9
    |
177 |         - name: Checkout extra test images
    |  _________-
178 | |         uses: actions/checkout@v4
179 | |         with:
180 | |           repository: python-pillow/test-images
181 | |           path: Tests\test-images
    | |_________________________________- does not set persist-credentials: false
    |

16 findings (0 unknown, 0 informational, 0 low, 15 medium, 1 high)

Some of these could be ignored, like:

error[excessive-permissions]: overly broad workflow or job-level permissions
 --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
  |
8 | / permissions:
9 | |   issues: write
  | |_______________^ issues: write is overly broad at the workflow level

Because there's only one job in this workflow, so it only applies there. But it's easy enough to silence the error and means if we add another job later then we're covered.

@hugovk hugovk added the Testing label Nov 2, 2024
@Yay295
Copy link
Contributor

Yay295 commented Nov 3, 2024

relevant issue: actions/checkout#485

@radarhere radarhere merged commit 8973526 into python-pillow:main Nov 4, 2024
68 checks passed
@radarhere radarhere mentioned this pull request Nov 4, 2024
Merged
@hugovk hugovk deleted the zizmor branch November 4, 2024 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hugovk @Yay295 @radarhere