From 4afe174b5c9865d1fcba2bed83b68eee5c298e6c Mon Sep 17 00:00:00 2001 From: Bibo-Joshi <22366557+Bibo-Joshi@users.noreply.github.com> Date: Fri, 13 Dec 2024 22:16:31 +0100 Subject: [PATCH] Add Static Security Analysis of GitHub Actions Workflows (#4606) --- .github/workflows/dependabot-prs.yml | 9 +++--- .github/workflows/docs-linkcheck.yml | 6 ++-- .github/workflows/docs.yml | 8 +++-- .github/workflows/gha_security.yml | 31 +++++++++++++++++++ .github/workflows/labelling.yml | 2 +- .github/workflows/lock.yml | 2 +- .github/workflows/release_pypi.yml | 24 +++++++------- .github/workflows/release_test_pypi.yml | 24 +++++++------- .github/workflows/stale.yml | 2 +- .github/workflows/test_official.yml | 8 +++-- .github/workflows/type_completeness.yml | 2 +- .../workflows/type_completeness_monthly.yml | 4 +-- .github/workflows/unit_tests.yml | 12 ++++--- 13 files changed, 89 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/gha_security.yml diff --git a/.github/workflows/dependabot-prs.yml b/.github/workflows/dependabot-prs.yml index 58fbd304719..afb0fa6340e 100644 --- a/.github/workflows/dependabot-prs.yml +++ b/.github/workflows/dependabot-prs.yml @@ -16,14 +16,15 @@ jobs: - name: Fetch Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v2.2.0 + uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.ref }} + persist-credentials: false - name: Update Version Number in Other Files - uses: jacobtomlinson/gha-find-replace@v3 + uses: jacobtomlinson/gha-find-replace@f1069b438f125e5395d84d1c6fd3b559a7880cb5 # v3 with: find: ${{ steps.dependabot-metadata.outputs.previous-version }} replace: ${{ steps.dependabot-metadata.outputs.new-version }} @@ -31,7 +32,7 @@ jobs: exclude: CHANGES.rst - name: Commit & Push Changes to PR - uses: EndBug/add-and-commit@v9.1.4 + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 with: message: 'Update version number in other files' committer_name: GitHub Actions diff --git a/.github/workflows/docs-linkcheck.yml b/.github/workflows/docs-linkcheck.yml index ea78626c31b..cb1aa840daf 100644 --- a/.github/workflows/docs-linkcheck.yml +++ b/.github/workflows/docs-linkcheck.yml @@ -17,9 +17,11 @@ jobs: os: [ubuntu-latest] fail-fast: False steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index b6a92ffdba8..c0ea937c181 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -18,9 +18,11 @@ jobs: os: [ubuntu-latest] fail-fast: False steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -34,7 +36,7 @@ jobs: - name: Build docs run: sphinx-build docs/source docs/build/html -W --keep-going -j auto - name: Upload docs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: HTML Docs retention-days: 7 diff --git a/.github/workflows/gha_security.yml b/.github/workflows/gha_security.yml new file mode 100644 index 00000000000..74e4b756eac --- /dev/null +++ b/.github/workflows/gha_security.yml @@ -0,0 +1,31 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: + - master + pull_request: + +jobs: + zizmor: + name: Security Analysis with zizmor + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 + - name: Run zizmor + run: uvx zizmor --persona=pedantic --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file diff --git a/.github/workflows/labelling.yml b/.github/workflows/labelling.yml index beb9fa45b5c..60e3744d2d5 100644 --- a/.github/workflows/labelling.yml +++ b/.github/workflows/labelling.yml @@ -11,7 +11,7 @@ jobs: pull-requests: write # for srvaroa/labeler to add labels in PR runs-on: ubuntu-latest steps: - - uses: srvaroa/labeler@v1.12.0 + - uses: srvaroa/labeler@fe4b1c73bb8abf2f14a44a6912a8b4fee835d631 # v1.12.0 # Config file at .github/labeler.yml env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index f2ab9d029b0..196b2c66704 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -8,7 +8,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5.0.1 + - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1 with: github-token: ${{ github.token }} issue-inactive-days: '7' diff --git a/.github/workflows/release_pypi.yml b/.github/workflows/release_pypi.yml index 8ebfd48887e..518194e0513 100644 --- a/.github/workflows/release_pypi.yml +++ b/.github/workflows/release_pypi.yml @@ -12,9 +12,11 @@ jobs: TAG: ${{ steps.get_tag.outputs.TAG }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.x" - name: Install pypa/build @@ -23,7 +25,7 @@ jobs: - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: python-package-distributions path: dist/ @@ -47,12 +49,12 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions path: dist/ - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3 compute-signatures: name: Compute SHA1 Sums and Sign with Sigstore @@ -65,7 +67,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions path: dist/ @@ -77,13 +79,13 @@ jobs: sha1sum $file > $file.sha1 done - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@v3.0.0 + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Store the distribution packages and signatures - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: python-package-distributions-and-signatures path: dist/ @@ -101,7 +103,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions-and-signatures path: dist/ @@ -113,7 +115,7 @@ jobs: # we don't define it through this workflow. run: >- gh release create - '${{ env.TAG }}' + "$TAG" --repo '${{ github.repository }}' --generate-notes - name: Upload artifact signatures to GitHub Release @@ -125,5 +127,5 @@ jobs: # sigstore-produced signatures and certificates. run: >- gh release upload - '${{ env.TAG }}' dist/** + "$TAG" dist/** --repo '${{ github.repository }}' diff --git a/.github/workflows/release_test_pypi.yml b/.github/workflows/release_test_pypi.yml index 6009a98d7e0..0c70ab4079a 100644 --- a/.github/workflows/release_test_pypi.yml +++ b/.github/workflows/release_test_pypi.yml @@ -12,9 +12,11 @@ jobs: TAG: ${{ steps.get_tag.outputs.TAG }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.x" - name: Install pypa/build @@ -23,7 +25,7 @@ jobs: - name: Build a binary wheel and a source tarball run: python3 -m build - name: Store the distribution packages - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: python-package-distributions path: dist/ @@ -47,12 +49,12 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions path: dist/ - name: Publish to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3 with: repository-url: https://test.pypi.org/legacy/ @@ -67,7 +69,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions path: dist/ @@ -79,13 +81,13 @@ jobs: sha1sum $file > $file.sha1 done - name: Sign the dists with Sigstore - uses: sigstore/gh-action-sigstore-python@v3.0.0 + uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46 # v3.0.0 with: inputs: >- ./dist/*.tar.gz ./dist/*.whl - name: Store the distribution packages and signatures - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: python-package-distributions-and-signatures path: dist/ @@ -103,7 +105,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: python-package-distributions-and-signatures path: dist/ @@ -115,7 +117,7 @@ jobs: # we don't define it through this workflow. run: >- gh release create - '${{ env.TAG }}' + "$TAG" --repo '${{ github.repository }}' --generate-notes --draft @@ -128,5 +130,5 @@ jobs: # sigstore-produced signatures and certificates. run: >- gh release upload - '${{ env.TAG }}' dist/** + "$TAG" dist/** --repo '${{ github.repository }}' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3b07166b244..6baacdedc1b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: # PRs never get stale days-before-stale: 3 diff --git a/.github/workflows/test_official.yml b/.github/workflows/test_official.yml index e5d87a5fd6a..cbf3b1b302f 100644 --- a/.github/workflows/test_official.yml +++ b/.github/workflows/test_official.yml @@ -21,9 +21,11 @@ jobs: os: [ubuntu-latest] fail-fast: False steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -41,7 +43,7 @@ jobs: - name: Test Summary id: test_summary - uses: test-summary/action@v2.4 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 if: always() # always run, even if tests fail with: paths: .test_report_official.xml diff --git a/.github/workflows/type_completeness.yml b/.github/workflows/type_completeness.yml index afa120e0793..66b2f4f3d47 100644 --- a/.github/workflows/type_completeness.yml +++ b/.github/workflows/type_completeness.yml @@ -14,7 +14,7 @@ jobs: name: test-type-completeness runs-on: ubuntu-latest steps: - - uses: Bibo-Joshi/pyright-type-completeness@1.0.1 + - uses: Bibo-Joshi/pyright-type-completeness@c85a67ff3c66f51dcbb2d06bfcf4fe83a57d69cc # v1.0.1 with: package-name: telegram python-version: 3.12 diff --git a/.github/workflows/type_completeness_monthly.yml b/.github/workflows/type_completeness_monthly.yml index 64771d349d0..fecf73db948 100644 --- a/.github/workflows/type_completeness_monthly.yml +++ b/.github/workflows/type_completeness_monthly.yml @@ -9,14 +9,14 @@ jobs: name: test-type-completeness runs-on: ubuntu-latest steps: - - uses: Bibo-Joshi/pyright-type-completeness@1.0.1 + - uses: Bibo-Joshi/pyright-type-completeness@c85a67ff3c66f51dcbb2d06bfcf4fe83a57d69cc # v1.0.1 id: pyright-type-completeness with: package-name: telegram python-version: 3.12 pyright-version: ~=1.1.367 - name: Check Output - uses: jannekem/run-python-script-action@v1 + uses: jannekem/run-python-script-action@bbfca66c612a28f3eeca0ae40e1f810265e2ea68 # v1.7 env: TYPE_COMPLETENESS: ${{ steps.pyright-type-completeness.outputs.base-completeness-score }} with: diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 8eadb22ee07..76eff5ec8d6 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -24,9 +24,11 @@ jobs: os: [ubuntu-latest, windows-latest, macos-latest] fail-fast: False steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: ${{ matrix.python-version }} cache: 'pip' @@ -79,7 +81,7 @@ jobs: - name: Test Summary id: test_summary - uses: test-summary/action@v2.4 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 if: always() # always run, even if tests fail with: paths: | @@ -87,14 +89,14 @@ jobs: .test_report_optionals_junit.xml - name: Submit coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 with: env_vars: OS,PYTHON name: ${{ matrix.os }}-${{ matrix.python-version }} fail_ci_if_error: true token: ${{ secrets.CODECOV_TOKEN }} - name: Upload test results to Codecov - uses: codecov/test-results-action@v1 + uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1 if: ${{ !cancelled() }} with: files: .test_report_no_optionals_junit.xml,.test_report_optionals_junit.xml