Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use zizmor to lint GitHub Actions #159

Open
2 of 16 tasks
santisoler opened this issue Dec 10, 2024 · 1 comment
Open
2 of 16 tasks

Use zizmor to lint GitHub Actions #159

santisoler opened this issue Dec 10, 2024 · 1 comment
Labels
maintenance Maintenance tasks across the project

Comments

@santisoler
Copy link
Member

santisoler commented Dec 10, 2024
edited
Loading

Description:

Security vulnerabilities in GitHub Actions can be exploited to introduce malicious code into deployed packages. See Issue 18027 from ultralytics. A way to mitigate the introduction of those security issues is to use zizmor, a static checker for GitHub Actions that can detect and report common security vulnerabilities in the workflow YAML files. Read this blogpost by woodruffr to learn more about the particular attack that ultralytics suffered and how zizmor could have helped to prevent it.

Note

I'm not putting the full link to that issue to avoid too much noise there (it's already a long enough issue).

With this in mind, I think we should start using tools like zizmor to lower the risk of having security vulnerabilities in our packages.

For now I think we should:

  • Add a new target into our Makefiles that run zizmor on every file under .github/workflows.
  • Add a new GitHub Action that runs zizmor
  • Don't forget to add zizmor to the environment.yml (installs through pip, not conda for now install through conda-forge since it's available now) and to env/requirements-style.txt
  • (Optionally) Make use of shellcheck to lint the bash scripts we have in those Actions.
  • Update 2024-12-12: we should consider running zizmor with a GitHub API token to check for online vulnerabilities

I already started applying these changes to Choclo (fatiando/choclo#114), so we can use it as a template.

Apply to:

Further instructions:

  • Start by opening Pull Requests on each repository listed above.
  • Optionally, we can open Issues on each repository if further discussion specific to that repository is needed.
  • Mention this Issue on every Issue or Pull Request opened on each opened: Related to fatiando/community#XX
  • Check-off the repository on the list above once the Pull Request is merged.
  • Close this issue when all items are checked-off.

We want your help!

We know that maintenance tasks are very demanding, so we don't expect a single person to tackle this issue by themselves. Any help is very welcomed, so please comment below that you want to take care of the changes on any repository and we will assign it to you.
This was referenced Dec 10, 2024
Merged
Merged
Merged
@santisoler santisoler added the maintenance Maintenance tasks across the project label Dec 13, 2024
@santisoler santisoler mentioned this issue Feb 10, 2025
Merged
@santisoler
Copy link
Member Author

Be aware of persisting the credentials when checking out gh-pages branch on documentation workflows: we need those credentials to be able to push to that branch. Moreover, it would be nice to add a set -e at the start of the deployment script, so it fails if any command ends with a non-zero status.

Check for reference: fatiando/choclo#122

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
maintenance Maintenance tasks across the project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@santisoler