From 806490b79956053d23143ddb9f53fe449976feb1 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Mon, 9 Dec 2024 23:13:37 +0100 Subject: [PATCH] Harden GitHub Actions workflows Update all GitHub Actions workflows following an analysis by `zizmor` (https://github.com/woodruffw/zizmor). In particular, this avoids persisting git credentials when the job does not need it (which I believe is all but one job, which is a job that makes commits). `zizmor` did have one more concern - overly permissive `read-all` permissions - but this was not addressed because I think this is okay, the project is entirely open so I don't see a risk of an adversary reading anything. --- .github/workflows/audit.yml | 4 ++++ .github/workflows/check.yml | 12 ++++++++++++ .github/workflows/codeql.yml | 2 ++ .github/workflows/publish.yml | 2 ++ .github/workflows/semgrep.yml | 2 ++ 5 files changed, 22 insertions(+) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 2823c0a..1a77f28 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -42,6 +44,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e5d244a..e5e5143 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -35,6 +37,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -60,6 +64,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -81,6 +87,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -102,6 +110,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: @@ -123,6 +133,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a1be118..dc5744c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 67ec3b3..1bf4994 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f52c9f3..964a7ff 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.0 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@v5.1.0 with: