Skip to content

Commit

Permalink
Harden GitHub Actions workflows
Browse files Browse the repository at this point in the history 
Update all GitHub Actions workflows following an analysis by `zizmor`
(https://github.com/woodruffw/zizmor). In particular, this avoids
persisting git credentials when the job does not need it (which I
believe is all but one job, which is a job that makes commits).

`zizmor` did have one more concern - overly permissive `read-all`
permissions - but this was not addressed because I think this is
okay, the project is entirely open so I don't see a risk of an
adversary reading anything.
  • Loading branch information
@ericcornelissen
ericcornelissen committed Dec 9, 2024
1 parent 0c0ea2c commit 806490b
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 0 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/audit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -42,6 +44,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/check.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -35,6 +37,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -60,6 +64,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -81,6 +87,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -102,6 +110,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand All @@ -123,6 +133,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/semgrep.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
with:
persist-credentials: false
- name: Install Go
uses: actions/setup-go@v5.1.0
with:
Expand Down

0 comments on commit 806490b

Please sign in to comment.