From 135086371b3b3a47bf483c020dcd3dd1e377cb91 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Fri, 6 Dec 2024 14:07:47 -0700 Subject: [PATCH 1/3] CI: Set persist-credentials to false for checkout action This prevents leaking the credentials to later steps when we no longer need it. --- .github/workflows/cffcheck.yml | 2 ++ .github/workflows/code-analysis.yml | 2 ++ .github/workflows/docs-conda.yml | 1 + .github/workflows/docs.yml | 5 ++--- .github/workflows/linting.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/tests-conda.yml | 3 +++ .github/workflows/tests-pypi.yml | 3 +++ .github/workflows/unstable-builds.yml | 2 ++ 9 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cffcheck.yml b/.github/workflows/cffcheck.yml index 6826803b73c..bf2fe34e9bd 100644 --- a/.github/workflows/cffcheck.yml +++ b/.github/workflows/cffcheck.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Check out a copy of the repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check validity of CITATION.cff uses: citation-file-format/cffconvert-github-action@2.0.0 diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 301d0c0ffd6..480d1f89ede 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/docs-conda.yml b/.github/workflows/docs-conda.yml index 7f71014fbf5..2cb4171ec34 100644 --- a/.github/workflows/docs-conda.yml +++ b/.github/workflows/docs-conda.yml @@ -37,6 +37,7 @@ jobs: with: fetch-depth: 150 fetch-tags: true + persist-credentials: false - name: Install from Conda uses: ./.github/actions/install-conda diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 42e52cf864f..0508ee9cb15 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -40,9 +40,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 150 - - - name: Get tags - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* + fetch-tags: true + persist-credentials: false - name: Install using PyPI uses: ./.github/actions/install-pypi diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index ae80f123555..cd50112f965 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -15,6 +15,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python 3 uses: actions/setup-python@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d3c226f0395..0e119e268df 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python id: setup diff --git a/.github/workflows/tests-conda.yml b/.github/workflows/tests-conda.yml index 329464321f6..3caed892a98 100644 --- a/.github/workflows/tests-conda.yml +++ b/.github/workflows/tests-conda.yml @@ -42,6 +42,7 @@ jobs: with: fetch-depth: 150 fetch-tags: true + persist-credentials: false - name: Install from Conda uses: ./.github/actions/install-conda @@ -66,6 +67,8 @@ jobs: steps: - name: Checkout source uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download coverage artifacts uses: actions/download-artifact@v4 diff --git a/.github/workflows/tests-pypi.yml b/.github/workflows/tests-pypi.yml index c86a377d361..948977a7193 100644 --- a/.github/workflows/tests-pypi.yml +++ b/.github/workflows/tests-pypi.yml @@ -44,6 +44,7 @@ jobs: with: fetch-depth: 150 fetch-tags: true + persist-credentials: false - name: Generate minimum dependencies if: ${{ matrix.dep-versions == 'Minimum' }} @@ -94,6 +95,8 @@ jobs: steps: - name: Checkout source uses: actions/checkout@v4 + with: + persist-credentials: false - name: Download coverage artifacts uses: actions/download-artifact@v4 diff --git a/.github/workflows/unstable-builds.yml b/.github/workflows/unstable-builds.yml index a9d3ce483f0..88a50953013 100644 --- a/.github/workflows/unstable-builds.yml +++ b/.github/workflows/unstable-builds.yml @@ -21,6 +21,7 @@ jobs: with: fetch-depth: 150 fetch-tags: true + persist-credentials: false - name: Assemble test requirements run: | @@ -61,6 +62,7 @@ jobs: with: fetch-depth: 150 fetch-tags: true + persist-credentials: false - name: Assemble doc requirements run: | From 25c523d99ee8ad455ef8ecf697b3d594a815c894 Mon Sep 17 00:00:00 2001 From: Ryan May Date: Fri, 6 Dec 2024 14:14:05 -0700 Subject: [PATCH 2/3] CI: Move permissions from workflow-level to job-level This is a no-op for most of these since they have a single job, but in the case of docs this does restrict the contents write permission to just deployment, and not build. --- .github/workflows/assign-milestone.yml | 8 ++++---- .github/workflows/backport-prs.yml | 8 ++++---- .github/workflows/code-analysis.yml | 6 +++--- .github/workflows/docs.yml | 5 ++--- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/assign-milestone.yml b/.github/workflows/assign-milestone.yml index 4dba85d1af9..3464f57c154 100644 --- a/.github/workflows/assign-milestone.yml +++ b/.github/workflows/assign-milestone.yml @@ -6,12 +6,12 @@ on: types: [closed] branches: [main] -permissions: - pull-requests: write - issues: write - jobs: sync: + permissions: + pull-requests: write + issues: write + name: Assign Latest Milestone runs-on: ubuntu-latest steps: diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml index 301a87479b8..64bf709a115 100644 --- a/.github/workflows/backport-prs.yml +++ b/.github/workflows/backport-prs.yml @@ -1,9 +1,5 @@ name: Backport PRs -permissions: - pull-requests: write - contents: write - on: pull_request_target: types: @@ -14,6 +10,10 @@ jobs: Backport: runs-on: ubuntu-latest if: github.event.pull_request.merged && contains( github.event.pull_request.labels.*.name, 'backport' ) + permissions: + pull-requests: write + contents: write + steps: - name: Checkout PR HEAD uses: actions/checkout@v4 diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml index 480d1f89ede..0ab8cf2cb3b 100644 --- a/.github/workflows/code-analysis.yml +++ b/.github/workflows/code-analysis.yml @@ -18,13 +18,13 @@ on: schedule: - cron: '0 8 * * 6' -permissions: - contents: read - security-events: write jobs: CodeQL: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout repository diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0508ee9cb15..312992cdf19 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -10,9 +10,6 @@ on: - v[0-9]+.[0-9]+.[0-9]+ pull_request: -permissions: - contents: write - concurrency: group: ${{ github.workflow}}-${{ github.head_ref }} cancel-in-progress: true @@ -66,6 +63,8 @@ jobs: runs-on: ubuntu-latest env: DOC_VERSION: dev + permissions: + contents: write steps: - name: Download doc build From e98a5a9530a208bd90fd6dfb5d611566a9a637df Mon Sep 17 00:00:00 2001 From: Ryan May Date: Fri, 6 Dec 2024 15:40:30 -0700 Subject: [PATCH 3/3] CI: Tweaks to improve security Mostly storing some uncontrolled inputs into intermediate environment variables to avoid some template injection issues. --- .github/workflows/automerge-dependabot.yml | 7 +++++-- .github/workflows/backport-prs.yml | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml index 9438025f02b..c8c26d28219 100644 --- a/.github/workflows/automerge-dependabot.yml +++ b/.github/workflows/automerge-dependabot.yml @@ -2,6 +2,7 @@ name: Auto-merge Dependabot PRs on: pull_request_target: + branches: [main] jobs: # @@ -12,6 +13,8 @@ jobs: if: github.actor == 'dependabot[bot]' env: GH_TOKEN: ${{ github.token }} + GH_REPO: ${{ github.repository }} + GH_PR: ${{ github.event.pull_request.number }} permissions: contents: write @@ -19,6 +22,6 @@ jobs: steps: - name: Set auto-merge - run: gh pr merge -R ${{ github.repository }} --merge --auto ${{ github.event.pull_request.number }} + run: gh pr merge -R "$GH_REPO" --merge --auto "$GH_PR" - name: Review PR - run: gh pr review -R ${{ github.repository }} --approve ${{ github.event.pull_request.number }} \ No newline at end of file + run: gh pr review -R "$GH_REPO" --approve "$GH_PR" \ No newline at end of file diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml index 64bf709a115..00a0ed7fa6e 100644 --- a/.github/workflows/backport-prs.yml +++ b/.github/workflows/backport-prs.yml @@ -13,6 +13,9 @@ jobs: permissions: pull-requests: write contents: write + env: + GH_BASE_SHA: ${{ github.event.pull_request.base.sha }} + GH_HEAD_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout PR HEAD @@ -22,7 +25,7 @@ jobs: fetch-depth: 100 - name: Fetch PR merge base - run: git fetch --no-tags --depth=100 origin ${{ github.event.pull_request.base.sha }} + run: git fetch --no-tags --depth=100 origin "$GH_BASE_SHA" - name: Set up git run: | @@ -38,7 +41,7 @@ jobs: - name: Apply PR commits to ${{ steps.get-branch.outputs.backport-branch}} branch run: | git checkout -b ${{ steps.get-branch.outputs.backport-branch}} origin/${{ steps.get-branch.outputs.backport-branch}} - git cherry-pick -x ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} + git cherry-pick -x "$GH_BASE_SHA".."$GH_HEAD_SHA" - name: Create backport PR id: create-pr