forked from python-telegram-bot/python-telegram-bot
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Static Security Analysis of GitHub Actions Workflows (python-tele…
- Loading branch information
1 parent
2ac5201
commit 4afe174
Showing
13 changed files
with
89 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,22 +16,23 @@ jobs: | |
|
|
||
| - name: Fetch Dependabot metadata | ||
| id: dependabot-metadata | ||
| uses: dependabot/[email protected] | ||
| uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.ref }} | ||
| persist-credentials: false | ||
|
|
||
| - name: Update Version Number in Other Files | ||
| uses: jacobtomlinson/gha-find-replace@v3 | ||
| uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # v3 | ||
| with: | ||
| find: ${{ steps.dependabot-metadata.outputs.previous-version }} | ||
| replace: ${{ steps.dependabot-metadata.outputs.new-version }} | ||
| regex: false | ||
| exclude: CHANGES.rst | ||
|
|
||
| - name: Commit & Push Changes to PR | ||
| uses: EndBug/[email protected] | ||
| uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 | ||
| with: | ||
| message: 'Update version number in other files' | ||
| committer_name: GitHub Actions | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: GitHub Actions Security Analysis | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| zizmor: | ||
| name: Security Analysis with zizmor | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Install the latest version of uv | ||
| uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 | ||
| - name: Run zizmor | ||
| run: uvx zizmor --persona=pedantic --format sarif . > results.sarif | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | ||
| with: | ||
| sarif_file: results.sarif | ||
| category: zizmor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,7 +11,7 @@ jobs: | |
| pull-requests: write # for srvaroa/labeler to add labels in PR | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: srvaroa/[email protected] | ||
| - uses: srvaroa/labeler@fe4b1c73bb8abf2f14a44a6912a8b4fee835d631 # v1.12.0 | ||
| # Config file at .github/labeler.yml | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,7 +8,7 @@ jobs: | |
| lock: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: dessant/[email protected] | ||
| - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 | ||
| with: | ||
| github-token: ${{ github.token }} | ||
| issue-inactive-days: '7' | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,9 +12,11 @@ jobs: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: "3.x" | ||
| - name: Install pypa/build | ||
|
|
@@ -23,7 +25,7 @@ jobs: | |
| - name: Build a binary wheel and a source tarball | ||
| run: python3 -m build | ||
| - name: Store the distribution packages | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
|
|
@@ -47,12 +49,12 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
| - name: Publish to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3 | ||
|
|
||
| compute-signatures: | ||
| name: Compute SHA1 Sums and Sign with Sigstore | ||
|
|
@@ -65,7 +67,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
|
|
@@ -77,13 +79,13 @@ jobs: | |
| sha1sum $file > $file.sha1 | ||
| done | ||
| - name: Sign the dists with Sigstore | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 | ||
| with: | ||
| inputs: >- | ||
| ./dist/*.tar.gz | ||
| ./dist/*.whl | ||
| - name: Store the distribution packages and signatures | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: python-package-distributions-and-signatures | ||
| path: dist/ | ||
|
|
@@ -101,7 +103,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions-and-signatures | ||
| path: dist/ | ||
|
|
@@ -113,7 +115,7 @@ jobs: | |
| # we don't define it through this workflow. | ||
| run: >- | ||
| gh release create | ||
| '${{ env.TAG }}' | ||
| "$TAG" | ||
| --repo '${{ github.repository }}' | ||
| --generate-notes | ||
| - name: Upload artifact signatures to GitHub Release | ||
|
|
@@ -125,5 +127,5 @@ jobs: | |
| # sigstore-produced signatures and certificates. | ||
| run: >- | ||
| gh release upload | ||
| '${{ env.TAG }}' dist/** | ||
| "$TAG" dist/** | ||
| --repo '${{ github.repository }}' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,9 +12,11 @@ jobs: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: "3.x" | ||
| - name: Install pypa/build | ||
|
|
@@ -23,7 +25,7 @@ jobs: | |
| - name: Build a binary wheel and a source tarball | ||
| run: python3 -m build | ||
| - name: Store the distribution packages | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
|
|
@@ -47,12 +49,12 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
| - name: Publish to Test PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3 | ||
| with: | ||
| repository-url: https://test.pypi.org/legacy/ | ||
|
|
||
|
|
@@ -67,7 +69,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions | ||
| path: dist/ | ||
|
|
@@ -79,13 +81,13 @@ jobs: | |
| sha1sum $file > $file.sha1 | ||
| done | ||
| - name: Sign the dists with Sigstore | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 | ||
| with: | ||
| inputs: >- | ||
| ./dist/*.tar.gz | ||
| ./dist/*.whl | ||
| - name: Store the distribution packages and signatures | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||
| with: | ||
| name: python-package-distributions-and-signatures | ||
| path: dist/ | ||
|
|
@@ -103,7 +105,7 @@ jobs: | |
|
|
||
| steps: | ||
| - name: Download all the dists | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| name: python-package-distributions-and-signatures | ||
| path: dist/ | ||
|
|
@@ -115,7 +117,7 @@ jobs: | |
| # we don't define it through this workflow. | ||
| run: >- | ||
| gh release create | ||
| '${{ env.TAG }}' | ||
| "$TAG" | ||
| --repo '${{ github.repository }}' | ||
| --generate-notes | ||
| --draft | ||
|
|
@@ -128,5 +130,5 @@ jobs: | |
| # sigstore-produced signatures and certificates. | ||
| run: >- | ||
| gh release upload | ||
| '${{ env.TAG }}' dist/** | ||
| "$TAG" dist/** | ||
| --repo '${{ github.repository }}' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,9 +21,11 @@ jobs: | |
| os: [ubuntu-latest] | ||
| fail-fast: False | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install dependencies | ||
|
|
@@ -41,7 +43,7 @@ jobs: | |
|
|
||
| - name: Test Summary | ||
| id: test_summary | ||
| uses: test-summary/[email protected] | ||
| uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 | ||
| if: always() # always run, even if tests fail | ||
| with: | ||
| paths: .test_report_official.xml | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -24,9 +24,11 @@ jobs: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | ||
| fail-fast: False | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| persist-credentials: false | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| cache: 'pip' | ||
|
|
@@ -79,22 +81,22 @@ jobs: | |
|
|
||
| - name: Test Summary | ||
| id: test_summary | ||
| uses: test-summary/[email protected] | ||
| uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 | ||
| if: always() # always run, even if tests fail | ||
| with: | ||
| paths: | | ||
| .test_report_no_optionals_junit.xml | ||
| .test_report_optionals_junit.xml | ||
| - name: Submit coverage | ||
| uses: codecov/codecov-action@v5 | ||
| uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 | ||
| with: | ||
| env_vars: OS,PYTHON | ||
| name: ${{ matrix.os }}-${{ matrix.python-version }} | ||
| fail_ci_if_error: true | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
| - name: Upload test results to Codecov | ||
| uses: codecov/test-results-action@v1 | ||
| uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1 | ||
| if: ${{ !cancelled() }} | ||
| with: | ||
| files: .test_report_no_optionals_junit.xml,.test_report_optionals_junit.xml | ||
|
|
||