Skip to content

CI: Harden GHA configuration #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

CI: Harden GHA configuration #166

wants to merge 9 commits into from

Conversation

tacaswell
Copy link
Member

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

rougier
rougier reviewed Jul 18, 2025
View reviewed changes
cheatsheets.tex Outdated
@@ -264,7 +264,7 @@
\begin{multicols*}{5}
\begin{overpic}[width=\columnwidth,tics=6,trim=12 6 18 6, clip]{logo2.png}
\put (16.5,1.5) {\scriptsize\RobotoCon \textcolor[HTML]{11557c}{Cheat sheet}}
\put (80,1.5) {\tiny\Roboto \textcolor[HTML]{11557c}{Version 3.5.0}}
Copy link
Member

@rougier rougier Jul 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could algo generate a matplotlib-version.tex with a \newcommand\matplotlibversion{3.5.1} (proper version to be generated) and include this file in every tex files.

@tacaswell
Copy link
Member Author

this picked up more changes than I expected an is not started from main, re-basing!

tacaswell added 4 commits July 18, 2025 14:33
@tacaswell
CI: Restrict default permissions
1328b1c 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: Restrict default permissions
08b5a55 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: pin actions by SHA
042eff8 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: apply zizmor auto-fixes
25791eb
QuLogic
QuLogic reviewed Jul 22, 2025
View reviewed changes
.github/workflows/main.yaml
on: [push, pull_request]

jobs:
pre-commit:
permissions:
contents: read

runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not pinned.

.github/workflows/main.yaml Outdated
on: [push, pull_request]

jobs:
pre-commit:
permissions:
contents: read

runs-on: ubuntu-20.04
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does dependabot not suggest updating this? Isn't it deprecated?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think dependabot suggest updating images?

Copy link
Member

@QuLogic QuLogic Jul 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it's probably why the CI isn't running, then.

.github/workflows/main.yaml
Comment on lines 22 to 25
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neither is pinned.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none of the wave of PRs pin the actions/XYZ to a sha.

.github/workflows/main.yaml Outdated
Comment on lines 79 to 85
- name: Output artifacts URL
run: |
echo 'Artifact URL:' \
'${{ steps.diffs-artifact-upload.outputs.artifact-url }}' \
'${STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL}' \
>> $GITHUB_STEP_SUMMARY
env:
STEPS_DIFFS_ARTIFACT_UPLOAD_OUTPUTS_ARTIFACT_URL: ${{ steps.diffs-artifact-upload.outputs.artifact-url }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this step at all any more; the build summary and artifacts are both displayed on the Summary page, so this is redundant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuLogic QuLogic QuLogic left review comments

@rougier rougier rougier left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tacaswell @QuLogic @rougier
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy