Use `zizmor` to lint GitHub Actions

**Description:**

Security vulnerabilities in GitHub Actions can be exploited to introduce malicious code into deployed packages. See Issue 18027 from [`ultralytics`](https://github.com/ultralytics/ultralytics). A way to mitigate the introduction of those security issues is to use `zizmor`, a static checker for GitHub Actions that can detect and report common security vulnerabilities in the workflow YAML files. Read [this blogpost by `woodruffr`](https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection) to learn more about the particular attack that `ultralytics` suffered and how `zizmor` could have helped to prevent it.

> [!NOTE]
> I'm not putting the full link to that issue to avoid too much noise there (it's already a long enough issue).

With this in mind, I think we should start using tools like `zizmor` to lower the risk of having security vulnerabilities in our packages.

For now I think we should:

- [ ] Add a new target into our `Makefile`s that run `zizmor` on every file under `.github/workflows`.
- [ ] Add a new GitHub Action that runs `zizmor`
- [ ] Don't forget to add `zizmor` to the `environment.yml` (~~installs through `pip`, not `conda` for now~~ install through conda-forge since it's available now) and to `env/requirements-style.txt`
- [ ] (Optionally) Make use of `shellcheck` to lint the bash scripts we have in those Actions.
- [ ] **Update 2024-12-12**: we should consider running zizmor with a GitHub API token to check for online vulnerabilities


I already started applying these changes to Choclo (https://github.com/fatiando/choclo/pull/114), so we can use it as a template.


**Apply to:**


- [ ] [boule](https://github.com/fatiando/boule)
- [x] [harmonica](https://github.com/fatiando/harmonica): https://github.com/fatiando/harmonica/pull/544
- [ ] [pooch](https://github.com/fatiando/pooch)
- [x] [verde](https://github.com/fatiando/verde)
- [x] [ensaio](https://github.com/fatiando/ensaio)
- [x] [choclo](https://github.com/fatiando/choclo): https://github.com/fatiando/choclo/pull/114
- [x] [magali](https://github.com/fatiando/magali)
- [ ] [dependente](https://github.com/fatiando/dependente)
- [ ] [burocrata](https://github.com/fatiando/burocrata)
- [ ] [website](https://github.com/fatiando/website)
- [ ] [tutorials](https://github.com/fatiando/tutorials)




**Further instructions:**

* Start by opening Pull Requests on each repository listed above.
* Optionally, we can open Issues on each repository if further discussion specific to that repository is needed.
* Mention this Issue on every Issue or Pull Request opened on each opened: `Related to fatiando/community#XX`
* Check-off the repository on the list above once the Pull Request is merged.
* Close this issue when all items are checked-off.

**We want your help!**

We know that maintenance tasks are very demanding, so we don't expect a single person to tackle this issue by themselves. Any help is very welcomed, so please comment below that you want to take care of the changes on any repository and we will assign it to you.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use `zizmor` to lint GitHub Actions #159

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use zizmor to lint GitHub Actions #159

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Use `zizmor` to lint GitHub Actions #159