From 2f6a85b5c297a56c29da1a13a21433d9e012944c Mon Sep 17 00:00:00 2001 From: Hynek Schlawack Date: Sun, 3 Nov 2024 14:18:24 +0100 Subject: [PATCH] Thank you Doctor Zizmor! --- .github/workflows/ci.yml | 16 ++++++++--- .github/workflows/codeql-analysis.yml | 5 ++++ .github/workflows/pypi-package.yml | 27 ++++++++++++++----- .github/workflows/zizmor.yml | 38 +++++++++++++++++++++++++++ 4 files changed, 76 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2977b94..6987fa8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,6 +23,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 id: baipp @@ -56,11 +57,14 @@ jobs: - uses: hynek/setup-cached-uv@v2 - name: Prepare & run Nox + env: + PYTHON: ${{ matrix.python-version }} + run: > uvx --with "tomli; python_version<'3.11'" nox - --python ${{ matrix.python-version }} + --python $PYTHON --sessions tests -- --installpkg dist/*.whl @@ -80,6 +84,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version-file: .python-version-default @@ -118,6 +124,8 @@ jobs: fail-fast: false matrix: python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }} + env: + PYTHON: ${{ matrix.python-version }} steps: - name: Download pre-built packages @@ -137,7 +145,7 @@ jobs: uvx --with "tomli; python_version<'3.11'" nox - --python ${{ matrix.python-version }} + --python $PYTHON --sessions mypy_api - name: Check using Pyright @@ -145,7 +153,7 @@ jobs: uvx --with "tomli; python_version<'3.11'" nox - --python ${{ matrix.python-version }} + --python $PYTHON --sessions pyright_api mypy-pkg: @@ -197,6 +205,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version-file: .python-version-default diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f872eef..fd85057 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,11 +25,16 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml index 2f18cf7..e9c2152 100644 --- a/.github/workflows/pypi-package.yml +++ b/.github/workflows/pypi-package.yml @@ -1,5 +1,5 @@ --- -name: Build & maybe upload PyPI package +name: Build & upload PyPI package on: push: @@ -10,32 +10,38 @@ on: - published workflow_dispatch: -permissions: - attestations: write - contents: read - id-token: write jobs: + # Always build & lint package. build-package: name: Build & verify package runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: hynek/build-and-inspect-python-package@v2 with: attest-build-provenance-github: 'true' + + # Upload to Test PyPI on every commit on main. release-test-pypi: name: Publish in-dev package to test.pypi.org environment: release-test-pypi - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + if: github.repository_owner == 'hynek' && github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v4 @@ -46,16 +52,21 @@ jobs: - name: Upload package to Test PyPI uses: pypa/gh-action-pypi-publish@release/v1 with: + attestations: true repository-url: https://test.pypi.org/legacy/ + # Upload to real PyPI on GitHub Releases. release-pypi: name: Publish released package to pypi.org environment: release-pypi - if: github.event.action == 'published' + if: github.repository_owner == 'hynek' && github.event.action == 'published' runs-on: ubuntu-latest needs: build-package + permissions: + id-token: write + steps: - name: Download packages built by build-and-inspect-python-package uses: actions/download-artifact@v4 @@ -65,3 +76,5 @@ jobs: - name: Upload package to PyPI uses: pypa/gh-action-pypi-publish@release/v1 + with: + attestations: true diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..bef3152 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,38 @@ +# https://github.com/woodruffw/zizmor +name: GitHub Actions Security Analysis with Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +permissions: + contents: read + + +jobs: + zizmor: + name: Zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Setup Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + - name: Get zizmor + run: cargo install zizmor + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: results.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: zizmor