Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHA security cleanup #3710

Merged
merged 3 commits into from
Dec 10, 2024
Merged

GHA security cleanup #3710

merged 3 commits into from
Dec 10, 2024

Conversation

dopplershift
Copy link
Member

@dopplershift dopplershift commented Dec 6, 2024
edited
Loading

Description Of Changes

In light of a recent supply chain attack on Ultralytics that leveraged some template expansion vulnerabilities in some GitHub Actions, this addresses some issues found by the zizmor tool:

  • Drop credentials after running actions/checkout whenever we don't need more git work
  • Move permissions into individual jobs, rather than at the top of the workflow. Most using special permissions only have a single job, but this does change the docs workflow to only have contents: write for deploy (removing from build)
  • Expand some PR parameters into intermediate environment variables to avoid template injection attacks

@dopplershift
CI: Set persist-credentials to false for checkout action
1350863 
This prevents leaking the credentials to later steps when we no longer
need it.
@dopplershift
CI: Move permissions from workflow-level to job-level
25c523d 
This is a no-op for most of these since they have a single job, but in
the case of docs this does restrict the contents write permission to
just deployment, and not build.
@dopplershift
CI: Tweaks to improve security
e98a5a9 
Mostly storing some uncontrolled inputs into intermediate environment
variables to avoid some template injection issues.
@dopplershift dopplershift added Area: Infrastructure Pertains to project infrastructure (e.g. CI, linting) Type: Maintenance Updates and clean ups (but not wrong) labels Dec 6, 2024
@dopplershift dopplershift requested a review from a team as a code owner December 6, 2024 22:47
@dopplershift dopplershift requested review from dcamron and removed request for a team December 6, 2024 22:47
@dopplershift
Copy link
Member Author

Nightly failure is due to matplotlib 3.10.0rc1, which we'll deal with elsewhere.

@dopplershift dopplershift merged commit 31bd735 into Unidata:main Dec 10, 2024
41 of 42 checks passed
@dopplershift dopplershift deleted the gha-security-cleanup branch December 10, 2024 18:27
@github-actions github-actions bot added this to the 1.7.0 milestone Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcamron dcamron dcamron approved these changes

Assignees
No one assigned
Labels
Area: Infrastructure Pertains to project infrastructure (e.g. CI, linting) Type: Maintenance Updates and clean ups (but not wrong)
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.
2 participants
@dopplershift @dcamron