Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lint our GitHub Actions workflows with zizmor #2331

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Lint our GitHub Actions workflows with zizmor #2331

wants to merge 1 commit into from

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Dec 12, 2024

Status

Ready for review

Description

zizmor is a new tool to lint GitHub Actions workflows. For the most part our workflows are pretty low risk since we don't give it a bunch of credentials, but we can avoid issues in the future by locking them down now.

Two overall issues needed to be fixed:

  • setting persist-credentials: false for actions/checkout, which we do everywhere except in the workflows that need to push.
  • Don't use template expansion when we can use a normal bash variable.

While zizmor is written in Rust, it is also shipped as a prebuilt binary via PyPI, so we can set it as a poetry dependency and run it as part of our normal lint CI.

Refs freedomofpress/securedrop-tooling#18.

Test Plan

  • visual review
  • CI passes
  • team informed about new tool, etc.

@legoktm
Lint our GitHub Actions workflows with zizmor
fb51305 
zizmor is a new tool to lint GitHub Actions workflows. For the most part
our workflows are pretty low risk since we don't give it a bunch of
credentials, but we can avoid issues in the future by locking them down
now.

Two overall issues needed to be fixed:
* setting persist-credentials: false for actions/checkout, which we do
everywhere except in the workflows that need to push.
* Don't use template expansion when we can use a normal bash variable.

While zizmor is written in Rust, it is also shipped as a prebuilt binary
via PyPI, so we can set it as a poetry dependency and run it as part of
our normal lint CI.

Refs <freedomofpress/securedrop-tooling#18>.
@legoktm legoktm added the CI label Dec 12, 2024
@legoktm legoktm requested a review from a team as a code owner December 12, 2024 01:36
@legoktm legoktm mentioned this pull request Dec 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CI
Projects
SecureDrop dev cycle
Status: Ready For Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@legoktm