Skip to content

Apply security fixes to GitHub Actions #8526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
radarhere merged 2 commits into from
Nov 4, 2024
Merged

Apply security fixes to GitHub Actions #8526

radarhere merged 2 commits into from
Nov 4, 2024

Conversation

@hugovk
Copy link
Member

@hugovk hugovk commented Nov 2, 2024

There's a new tool that flags potential security issues in GitHub Actions workflows: https://github.com/woodruffw/zizmor

Details 
zizmor .
🌈 completed cifuzz.yml
🌈 completed release-drafter.yml
🌈 completed stale.yml
🌈 completed docs.yml
🌈 completed test-valgrind.yml
🌈 completed test-windows.yml
🌈 completed test-mingw.yml
🌈 completed test-docker.yml
🌈 completed lint.yml
🌈 completed test.yml
🌈 completed test-cygwin.yml
🌈 completed wheels.yml
error[excessive-permissions]: overly broad workflow or job-level permissions
 --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
  |
8 | / permissions:
9 | |   issues: write
  | |_______________^ issues: write is overly broad at the workflow level
  |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/docs.yml:35:7
   |
35 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-valgrind.yml:42:7
   |
42 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:45:7
   |
45 |       - name: Checkout Pillow
   |  _______-
46 | |       uses: actions/checkout@v4
   | |_______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:48:7
   |
48 |       - name: Checkout cached dependencies
   |  _______-
49 | |       uses: actions/checkout@v4
50 | |       with:
51 | |         repository: python-pillow/pillow-depends
52 | |         path: winbuild\depends
   | |______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:54:7
   |
54 |       - name: Checkout extra test images
   |  _______-
55 | |       uses: actions/checkout@v4
...  |
59 | |
60 | |     # sets env: pythonLocation
   | |______________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-mingw.yml:47:9
   |
47 |         - name: Checkout Pillow
   |  _________-
48 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-docker.yml:67:7
   |
67 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/lint.yml:23:7
   |
23 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test.yml:65:7
   |
65 |     - uses: actions/checkout@v4
   |       ------------------------- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/test-cygwin.yml:49:9
   |
49 |         - name: Checkout Pillow
   |  _________-
50 | |         uses: actions/checkout@v4
   | |_________________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:62:9
   |
62 |         - uses: actions/checkout@v4
   |  _________-
63 | |         with:
64 | |           submodules: true
   | |__________________________- does not set persist-credentials: false
   |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:255:7
    |
255 |     - uses: actions/checkout@v4
    |       ------------------------- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:133:9
    |
133 |         - uses: actions/checkout@v4
    |  _________-
134 | |         with:
135 | |           submodules: true
    | |__________________________- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:175:9
    |
175 |       - uses: actions/checkout@v4
    |         ------------------------- does not set persist-credentials: false
    |

warning[artipacked]: credential persistence through GitHub Actions artifacts
   --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:177:9
    |
177 |         - name: Checkout extra test images
    |  _________-
178 | |         uses: actions/checkout@v4
179 | |         with:
180 | |           repository: python-pillow/test-images
181 | |           path: Tests\test-images
    | |_________________________________- does not set persist-credentials: false
    |

16 findings (0 unknown, 0 informational, 0 low, 15 medium, 1 high)

Some of these could be ignored, like:

error[excessive-permissions]: overly broad workflow or job-level permissions
 --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
  |
8 | / permissions:
9 | |   issues: write
  | |_______________^ issues: write is overly broad at the workflow level

Because there's only one job in this workflow, so it only applies there. But it's easy enough to silence the error and means if we add another job later then we're covered.

@hugovk hugovk added the Testing label Nov 2, 2024
@Yay295
Copy link
Contributor

Yay295 commented Nov 3, 2024

relevant issue: actions/checkout#485

@radarhere radarhere merged commit 8973526 into python-pillow:main Nov 4, 2024
68 checks passed
@radarhere radarhere mentioned this pull request Nov 4, 2024
Merged
@hugovk hugovk deleted the zizmor branch November 4, 2024 06:47
@hugovk hugovk mentioned this pull request Dec 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hugovk @Yay295 @radarhere