From 41031848dfad6f1428f38c7ee88c489e96374dd0 Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Sat, 14 Dec 2024 13:17:40 -0500 Subject: [PATCH] chore(ci): Add Github Action auditing --- .github/workflows/build-pr.yml | 15 +++++++ .github/workflows/build.yml | 15 +++++++ .github/workflows/flakehub-tagged.yml | 3 +- .github/workflows/post-release.yml | 48 ---------------------- .github/workflows/release.yml | 57 --------------------------- .github/workflows/tag.yml | 4 ++ .github/workflows/zizmor.yml | 36 +++++++++++++++++ 7 files changed, 72 insertions(+), 106 deletions(-) delete mode 100644 .github/workflows/post-release.yml delete mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index bdba10ee..348e9fbf 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -30,6 +30,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -64,6 +65,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -100,6 +102,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -134,6 +137,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -165,6 +169,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -183,6 +188,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -201,6 +207,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -233,6 +240,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -271,6 +279,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -312,6 +321,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -360,6 +370,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -406,6 +417,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -449,6 +461,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -485,6 +498,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -525,6 +539,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a192c66d..d00c2090 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -43,6 +44,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -78,6 +80,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Login to GitHub Container Registry @@ -119,6 +122,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Login to GitHub Container Registry @@ -158,6 +162,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -204,6 +209,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Login to GitHub Container Registry @@ -240,6 +246,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Run integration tests @@ -275,6 +282,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Expose GitHub Runtime @@ -311,6 +319,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false ref: main - name: Expose GitHub Runtime @@ -355,6 +364,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -406,6 +416,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main @@ -514,6 +525,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main @@ -560,6 +572,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false ref: main @@ -598,6 +611,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -641,6 +655,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} diff --git a/.github/workflows/flakehub-tagged.yml b/.github/workflows/flakehub-tagged.yml index 72061321..2c2b4840 100644 --- a/.github/workflows/flakehub-tagged.yml +++ b/.github/workflows/flakehub-tagged.yml @@ -16,8 +16,9 @@ jobs: id-token: "write" contents: "read" steps: - - uses: "actions/checkout@v3" + - uses: "actions/checkout@v4" with: + persist-credentials: false ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" - uses: "DeterminateSystems/nix-installer-action@main" - uses: "DeterminateSystems/flakehub-push@main" diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml deleted file mode 100644 index 6c9febd0..00000000 --- a/.github/workflows/post-release.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Post-release version bump - -# how to trigger: https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow -on: - workflow_dispatch: - -env: - CARGO_TERM_COLOR: always - -jobs: - ci: - if: github.repository == 'blue-build/cli' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - uses: actions/cache@v4 - with: - path: | - target/ - ~/.cargo/bin/ - ~/.cargo/git/db/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - key: ${{ runner.os }}-cargo-build-stable-${{ hashFiles('**/Cargo.toml') }} - - - name: Install just - run: sudo snap install --edge --classic just - - # Cargo returns an exit code of 1 if already installed - - name: Install cargo-release - continue-on-error: true - run: cargo install cargo-release --force - - - name: Git setup - run: just cargo-post-release --execute - - - name: Create PR - uses: peter-evans/create-pull-request@v5 - with: - delete-branch: true - base: "main" - title: "Bump Version after Release" - body: | - Bump version after release - This PR has been auto-generated \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index eafb2bb3..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Release - -on: - workflow_dispatch: - -env: - CARGO_TERM_COLOR: always - -jobs: - release: - if: github.repository == 'blue-build/cli' - runs-on: ubuntu-latest - permissions: - id-token: write - contents: write - packages: write - - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - uses: actions/cache@v4 - with: - path: | - target/ - ~/.cargo/bin/ - ~/.cargo/git/db/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - key: ${{ runner.os }}-cargo-build-stable-${{ hashFiles('**/Cargo.toml') }} - - - name: Install just - run: sudo snap install --edge --classic just - - # Cargo returns an exit code of 1 if already installed - - name: Install cargo-release - continue-on-error: true - run: cargo install cargo-release --force - - - name: Git setup - run: | - git config user.name github-actions - git config user.email github-actions@github.com - - - name: Setup release - run: just cargo-release --execute - - - name: Create PR - uses: peter-evans/create-pull-request@v5 - with: - delete-branch: true - base: "main" - title: "Preparing Next Release" - body: | - Preparing next release - This PR has been auto-generated diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 08a31b95..626d21a1 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true @@ -61,6 +62,7 @@ jobs: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true @@ -83,6 +85,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true @@ -122,6 +125,7 @@ jobs: # Setup repo and add caching - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 fetch-tags: true diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..d59a9690 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor