Security linting of GHA workflows#2560
Conversation
- Pin all action references to commit SHAs - Add persist-credentials: false to all checkout steps - Add explicit permissions blocks (workflow-level and per-job) - Add environment for test-pypi job to scope secret access - Add Dependabot cooldown configuration - Suppress secrets-outside-env for CODECOV_TOKEN and PREFIX_API_KEY - Suppress use-trusted-publishing info finding Co-authored-by: Claude <noreply@anthropic.com>
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: astral-sh/setup-uv@v7 | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 |
There was a problem hiding this comment.
The main reason we need this is because tags in git are mutable. Someone can push the v5 tag to a commit with malicious code, hence getting arbitrary code execution. Setting these to SHAs prevents this. Dependabot autoupdates these, so we don't really need to worry about it (just when adding new actions, we use the SHA instead of the version)
This also stems from the fact GitHub Actions is bad
| schedule: | ||
| interval: "monthly" | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
This means that dependabot updates won't consider packages that have been released in the last 7 days
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
There was a problem hiding this comment.
Will also have this for Pixi when prefix-dev/pixi#5786 gets merged and released
erikvansebille
left a comment
erikvansebille
left a comment
There was a problem hiding this comment.
Looks good; thanks for implementing this extra layer of security. The blog on why Github Actions is bad was an eye-opener...
2 participants
This PR introduces Zizmor as a precommit hook.
Given the recent waves of AI powered supply chain attacks, I think its important that we have this.
AI Disclosure
zizmor .. I have checked everything (including that all the hashes match the versions - by runninguv run https://gist.github.com/VeckoTheGecko/734b10cc78742b354c01055660ddf625.