From 0af6244b39282f346f4adeedf0e7d1eb0da82a07 Mon Sep 17 00:00:00 2001 From: Tommaso Comparin <3862206+tcompa@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:44:58 +0100 Subject: [PATCH 1/6] Add a bunch of `persist-credentials: false` to GitHub actions --- .github/workflows/documentation.yaml | 2 ++ .github/workflows/end_to_end_tests.yaml | 5 +++-- .github/workflows/github_release.yaml | 3 +-- .github/workflows/lint_and_build.yaml | 5 +++-- .github/workflows/unit_tests.yaml | 5 +++-- 5 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index 4e10a2a1..980782d5 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -14,6 +14,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v4 with: diff --git a/.github/workflows/end_to_end_tests.yaml b/.github/workflows/end_to_end_tests.yaml index 83af1924..092804af 100644 --- a/.github/workflows/end_to_end_tests.yaml +++ b/.github/workflows/end_to_end_tests.yaml @@ -44,8 +44,9 @@ jobs: - 5556:5556 steps: - - name: Check out repo - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up node uses: actions/setup-node@v4 diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml index b64f949a..60aab279 100644 --- a/.github/workflows/github_release.yaml +++ b/.github/workflows/github_release.yaml @@ -18,8 +18,7 @@ jobs: node-version: ['18', '20'] steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@v4 - name: Set up node uses: actions/setup-node@v4 diff --git a/.github/workflows/lint_and_build.yaml b/.github/workflows/lint_and_build.yaml index cf4016ce..36029a51 100644 --- a/.github/workflows/lint_and_build.yaml +++ b/.github/workflows/lint_and_build.yaml @@ -17,8 +17,9 @@ jobs: node-version: ['18', '20'] steps: - - name: Check out repo - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up node uses: actions/setup-node@v4 diff --git a/.github/workflows/unit_tests.yaml b/.github/workflows/unit_tests.yaml index 2c2060f4..31175384 100644 --- a/.github/workflows/unit_tests.yaml +++ b/.github/workflows/unit_tests.yaml @@ -17,8 +17,9 @@ jobs: node-version: ['18', '20'] steps: - - name: Check out repo - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up node uses: actions/setup-node@v4 From 222e68d862aeeafd3ae3e3043731fc1596f96fd2 Mon Sep 17 00:00:00 2001 From: Tommaso Comparin <3862206+tcompa@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:53:22 +0100 Subject: [PATCH 2/6] Do not opt-in for npm cache within `github_release.yaml` --- .github/workflows/github_release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml index 60aab279..5a13c99b 100644 --- a/.github/workflows/github_release.yaml +++ b/.github/workflows/github_release.yaml @@ -24,7 +24,6 @@ jobs: uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} - cache: npm - name: Install dependencies run: npm install From 42c9bba42d06eb3e661c2c8cded1476ed0bc3c07 Mon Sep 17 00:00:00 2001 From: Tommaso Comparin <3862206+tcompa@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:58:00 +0100 Subject: [PATCH 3/6] Replace template expansion with env variable in `github_release.yaml` --- .github/workflows/github_release.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml index 5a13c99b..ae49f7e9 100644 --- a/.github/workflows/github_release.yaml +++ b/.github/workflows/github_release.yaml @@ -38,9 +38,13 @@ jobs: run: tar -xzf fractal-web-*.tgz - name: Repack the package removing parent folder - run: tar -C package -czf node-${{ matrix.node-version }}-fractal-web-${{ github.ref_name }}.tar.gz build package.json node_modules LICENSE + env: + GITHUB_REF_NAME: ${{ github.ref_name }} + run: tar -C package -czf node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz build package.json node_modules LICENSE - name: Release uses: softprops/action-gh-release@v2 + env: + GITHUB_REF_NAME: ${{ github.ref_name }} with: - files: node-${{ matrix.node-version }}-fractal-web-${{ github.ref_name }}.tar.gz + files: node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz \ No newline at end of file From ad1c4686bfde5cc441c9aa041b1383e260061ba3 Mon Sep 17 00:00:00 2001 From: Tommaso Comparin <3862206+tcompa@users.noreply.github.com> Date: Thu, 9 Jan 2025 10:02:23 +0100 Subject: [PATCH 4/6] CHANGELOG [skip ci] --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fe2a465..c97e6337 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ *Note: Numbers like (\#123) point to closed Pull Requests on the fractal-web repository.* +# Unreleased +* Fixed findings based on `zizmor 1.0.1` audit (\#687). + # 1.14.0 * Removed legacy version support (\#684); From 10cc8855b1a62ac57b6028ca7c4e3e6465bfe1c6 Mon Sep 17 00:00:00 2001 From: Sonia Zorba Date: Thu, 9 Jan 2025 14:08:06 +0100 Subject: [PATCH 5/6] Added missing persist-credentials option --- .github/workflows/github_release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml index ae49f7e9..b3bc146b 100644 --- a/.github/workflows/github_release.yaml +++ b/.github/workflows/github_release.yaml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up node uses: actions/setup-node@v4 From bf5e9dcaf63478a645aac06a9dd8dc9348beacb3 Mon Sep 17 00:00:00 2001 From: Sonia Zorba Date: Thu, 9 Jan 2025 14:10:41 +0100 Subject: [PATCH 6/6] Added quotes on release tar file name --- .github/workflows/github_release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml index b3bc146b..d7a6a49c 100644 --- a/.github/workflows/github_release.yaml +++ b/.github/workflows/github_release.yaml @@ -42,7 +42,7 @@ jobs: - name: Repack the package removing parent folder env: GITHUB_REF_NAME: ${{ github.ref_name }} - run: tar -C package -czf node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz build package.json node_modules LICENSE + run: tar -C package -czf "node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz" build package.json node_modules LICENSE - name: Release uses: softprops/action-gh-release@v2