From fd43eae79fbf2829235802e7cbd4d02ed68e61c6 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 19:07:19 -0400 Subject: [PATCH 1/4] CI: harden GHA configuration This adjusts the defaults per suggestions of zizmor to reduce possible risks from giving GHA tasks more permissions that required. --- .github/workflows/black.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/docs_publish.yml | 2 ++ .github/workflows/flake8.yml | 2 ++ .github/workflows/python-publish.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index e46b51e..3cc0e93 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 57fa344..7acc669 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml index a65db37..15f8293 100644 --- a/.github/workflows/docs_publish.yml +++ b/.github/workflows/docs_publish.yml @@ -28,6 +28,8 @@ jobs: export REPOSITORY_NAME=${GITHUB_REPOSITORY#*/} echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index b746a8b..a7679c1 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index cf08702..4cfd1e4 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,6 +16,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 2758bb2..08b7f52 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -24,6 +24,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 From 7f0fa7ea6f0cae8e19cad1a32fde2c50f51b1592 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 19:34:23 -0400 Subject: [PATCH 2/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/docs.yml | 2 +- .github/workflows/docs_publish.yml | 2 +- .github/workflows/testing.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 7acc669..2295507 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -27,7 +27,7 @@ jobs: with: python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml index 15f8293..ea61fa3 100644 --- a/.github/workflows/docs_publish.yml +++ b/.github/workflows/docs_publish.yml @@ -36,7 +36,7 @@ jobs: with: python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 08b7f52..887e91c 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -33,7 +33,7 @@ jobs: # This step is not expected to influence the test, since the test is run in Conda environment python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible From 65c84e8213693d8a8d30832fbcaad45ea9e4570d Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 20:32:58 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/black.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/flake8.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index 3cc0e93..c3ec149 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,4 +1,6 @@ name: Style - BLACK +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2295507..39e4617 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Documentation +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index a7679c1..424281d 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -1,4 +1,6 @@ name: Style - FLAKE8 +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 887e91c..a5ebcd1 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Tests +permissions: + contents: read on: push: From 91e45b46b773637433b9ccf5d3e1c7fb6902a005 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Tue, 8 Jul 2025 21:12:16 -0400 Subject: [PATCH 4/4] STY: update whitespace in yaml --- .github/workflows/docs_publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml index ea61fa3..73dda87 100644 --- a/.github/workflows/docs_publish.yml +++ b/.github/workflows/docs_publish.yml @@ -79,7 +79,7 @@ jobs: - name: Deploy documentation to nsls-ii.github.io # We pin to the SHA, not the tag, for security reasons. # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions - uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 + uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 with: deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }} publish_branch: master