From 8495cc969a355237fab8c96f48608a541a50d738 Mon Sep 17 00:00:00 2001 From: Daniel Fremont Date: Tue, 21 Jan 2025 17:06:32 -0800 Subject: [PATCH 1/2] Use zizmor to scan for GHA security problems (#320) * apply GHA security improvements suggested by zizmor * run zizmor in CI * Update GH_REF reference in check_simulator_version_updates job --------- Co-authored-by: Lola Marrero <110120745+lola831@users.noreply.github.com> --- .github/workflows/check-formatting.yml | 2 ++ .github/workflows/on-call-reminder.yml | 2 ++ .github/workflows/run-coverage.yml | 2 ++ .github/workflows/run-simulators.yml | 5 ++-- .github/workflows/run-tests.yml | 7 ++++- .github/workflows/zizmor.yml | 37 ++++++++++++++++++++++++++ 6 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/check-formatting.yml b/.github/workflows/check-formatting.yml index 251ec326f..98d3a21b1 100644 --- a/.github/workflows/check-formatting.yml +++ b/.github/workflows/check-formatting.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Run black to check formatting uses: psf/black@stable diff --git a/.github/workflows/on-call-reminder.yml b/.github/workflows/on-call-reminder.yml index 4a7e75882..54a7a6e3e 100644 --- a/.github/workflows/on-call-reminder.yml +++ b/.github/workflows/on-call-reminder.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 diff --git a/.github/workflows/run-coverage.yml b/.github/workflows/run-coverage.yml index 34344184c..aa41f4e46 100644 --- a/.github/workflows/run-coverage.yml +++ b/.github/workflows/run-coverage.yml @@ -33,12 +33,14 @@ jobs: if: inputs.ref != '' with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Checkout current branch uses: actions/checkout@v3 if: inputs.ref == '' with: ref: ${{ github.ref }} + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 diff --git a/.github/workflows/run-simulators.yml b/.github/workflows/run-simulators.yml index 3b04f79df..89e0819fd 100644 --- a/.github/workflows/run-simulators.yml +++ b/.github/workflows/run-simulators.yml @@ -88,12 +88,13 @@ jobs: HOSTNAME: ${{ secrets.SSH_HOST }} USER_NAME: ${{ secrets.SSH_USERNAME }} GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + GH_REF: ${{ github.ref }} run: | echo "$PRIVATE_KEY" > private_key && chmod 600 private_key - ssh -o StrictHostKeyChecking=no -i private_key ${USER_NAME}@${HOSTNAME} ' + ssh -o StrictHostKeyChecking=no -o SendEnv=GH_REF -i private_key ${USER_NAME}@${HOSTNAME} ' cd /home/ubuntu/actions/ && rm -rf Scenic && - git clone --branch $(basename "${{ github.ref }}") --single-branch https://$GH_ACCESS_TOKEN@github.com/BerkeleyLearnVerify/Scenic.git && + git clone --branch $(basename "$GH_REF") --single-branch https://$GH_ACCESS_TOKEN@github.com/BerkeleyLearnVerify/Scenic.git && cd Scenic && python3 -m venv venv && source venv/bin/activate && diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index f24b21dd8..025145608 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -47,12 +47,14 @@ jobs: if: inputs.ref != '' with: ref: ${{ inputs.ref }} + persist-credentials: false - name: Checkout current branch uses: actions/checkout@v3 if: inputs.ref == '' with: ref: ${{ github.ref }} + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 @@ -69,5 +71,8 @@ jobs: python -m pip install -e ".[test-full]" - name: Run pytest + env: + TEST_OPTIONS: ${{ inputs.options || (matrix.slow && '--no-graphics' || '--fast --no-graphics') }} + shell: sh run: | - pytest ${{ inputs.options || (matrix.slow && '--no-graphics' || '--fast --no-graphics') }} + pytest ${TEST_OPTIONS} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..ecc69380d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 +# https://woodruffw.github.io/zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From 394f205fa93efd761051a5c825040ee4a0910ca0 Mon Sep 17 00:00:00 2001 From: Lola Marrero <110120745+lola831@users.noreply.github.com> Date: Wed, 12 Feb 2025 20:11:10 -0800 Subject: [PATCH 2/2] Remove OpsGenie and maintenance bot on-call reminder script and workflow (replacing with Slack Round Robin) (#327) --- .github/slack_oncall_reminder.py | 70 -------------------------- .github/workflows/on-call-reminder.yml | 32 ------------ 2 files changed, 102 deletions(-) delete mode 100644 .github/slack_oncall_reminder.py delete mode 100644 .github/workflows/on-call-reminder.yml diff --git a/.github/slack_oncall_reminder.py b/.github/slack_oncall_reminder.py deleted file mode 100644 index f62707077..000000000 --- a/.github/slack_oncall_reminder.py +++ /dev/null @@ -1,70 +0,0 @@ -import argparse - -import requests -from slack_sdk import WebClient -from slack_sdk.errors import SlackApiError - - -def save_users(users_array): - users = {} - for user in users_array: - # NOTE: some apps, slackbots do not have emails to map to - profile = user["profile"] - if "email" in profile.keys(): - user_email = profile["email"] - username = user_email.split("@")[0] - users[username] = user - return users - - -def grab_whos_on_call(OPS_GENIE_API_TOKEN, ROTATION_SCHEDULE_ID): - url = f"https://api.opsgenie.com/v2/schedules/{ROTATION_SCHEDULE_ID}/on-calls" - headers = {"Authorization": f"GenieKey {OPS_GENIE_API_TOKEN}"} - response = requests.get(url, headers=headers) - if response.status_code == 200: - data = response.json() - else: - print(f"Request failed with status code {response.status_code}") - print("Response content:") - print(response.content.decode("utf-8")) - return data["data"]["onCallParticipants"][0]["name"].split("@")[0] - - -def postSlackMessage(client, CHANNEL_ID, OPS_GENIE_API_TOKEN, ROTATION_SCHEDULE_ID): - try: - result = client.users_list() - users = save_users(result["members"]) - on_call = grab_whos_on_call(OPS_GENIE_API_TOKEN, ROTATION_SCHEDULE_ID) - slack_id = users[on_call]["id"] - - result = client.chat_postMessage( - channel=CHANNEL_ID, - text=f"""πŸ› οΈMaintenance On-Call: <@{slack_id}>, you will be on-call for the next week. Resources:\n - πŸ“– - πŸ” - πŸ“Š - πŸ“‹ - πŸ”§ - """, - ) - except SlackApiError as e: - print(f"SlackAPIError: {e}") - - -if __name__ == "__main__": - parser = argparse.ArgumentParser( - description="Script that notifies on-call rotation daily" - ) - parser.add_argument("--slack_api_token", required=True, type=str) - parser.add_argument("--ops_genie_api_token", required=True, type=str) - args = parser.parse_args() - - SLACK_API_TOKEN = args.slack_api_token - OPS_GENIE_API_TOKEN = args.ops_genie_api_token - # NOTE: Feel free to grab the relevant channel ID to post the message to but ensure the App is installed within the channel - CHANNEL_ID = "C06N9KJHN2J" - # NOTE: Rotation schedule is grabbed directly from within the OpsGenie site - ROTATION_SCHEDULE_ID = "904cd122-f269-418d-8c29-3e6751716bae" - - client = WebClient(token=SLACK_API_TOKEN) - postSlackMessage(client, CHANNEL_ID, OPS_GENIE_API_TOKEN, ROTATION_SCHEDULE_ID) diff --git a/.github/workflows/on-call-reminder.yml b/.github/workflows/on-call-reminder.yml deleted file mode 100644 index 54a7a6e3e..000000000 --- a/.github/workflows/on-call-reminder.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: on_call_reminder - -on: - schedule: - - cron: '0 17 * * 3' # Runs every Wednesday at 9am PST (17:00 UTC) - workflow_dispatch: # Allows manual triggering of the workflow - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - with: - persist-credentials: false - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.12' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install requests slack_sdk argparse - - - name: Run Python script - env: - SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }} - OPS_GENIE_API_TOKEN: ${{ secrets.OPS_GENIE_API_TOKEN }} - run: python .github/slack_oncall_reminder.py --slack_api_token $SLACK_API_TOKEN --ops_genie_api_token $OPS_GENIE_API_TOKEN