Skip to content

[ci] enforce 'zizmor' checks for GitHub Actions configurations#2760

Open
jameslamb wants to merge 3 commits into
mozilla:mainfrom
jameslamb:add-zizmor
Open

[ci] enforce 'zizmor' checks for GitHub Actions configurations#2760
jameslamb wants to merge 3 commits into
mozilla:mainfrom
jameslamb:add-zizmor

Conversation

@jameslamb

Copy link
Copy Markdown

👋🏻 hi, sccache user for a few years, first-time contributor.

This PR proposes introducing zizmor, a static analyzer that enforces stricter security rules for GitHub Actions (https://github.com/zizmorcore/zizmor). I don't have any affiliation with that project, just genuinely think its suggestions are very useful.

Changes

Notes for Reviewers

How I tested this

Ran pre-commit and actionlint locally

pre-commit run --all-files
actionlint .github/workflows/*

The only other way I know to test changes like this is to actually run CI.

Related work

This would help with @sylvestre 's draft PR here: #2636

And would avoid findings like #2729 (comment) that GitHub Advanced Security is adding to PRs here.

Handling this PR

I know this is a sensitive and large-ish changeset and I'm a random person from the internet. I'm happy to break this into smaller PRs if you like, or for maintainers to close this and make these changes themselves.

Thanks for your time and consideration.

-zcf target/failure-${{ inputs.name }}.tar.gz .
- uses: actions/upload-artifact@v4
-zcf target/failure-${INPUTS_NAME}.tar.gz .
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependabot knows how to read these commit SHAs and will update the comments with versions too.

Example: https://github.com/lightgbm-org/LightGBM/pull/7329/changes

Comment thread .github/dependabot.yml
interval: weekly
open-pull-requests-limit: 8
cooldown:
default-days: 7

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose this value arbitrarily.

And value > 0 will be sufficient to slow the spread of problematic packages in the event of a supply chain attack.

Comment thread .github/zizmor.yml
rules:
unpinned-images:
ignore:
- ci.yml

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suppresses this finding:

error[unpinned-images]: unpinned image references
   --> .github/workflows/ci.yml:264:5
    |
264 |     container: ${{ fromJson(matrix.container || '{"image":null}') }}
    |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image may be unpinned
    |
    = note: audit confidence → Lo

Looking at the configuration around that line, it's pretty clear that you're fine with unpinned images.

container: ${{ fromJson(matrix.container || '{"image":null}') }}

I think this one is a false positive and not relevant for this project.

Comment thread .github/workflows/ci.yml
needs: [ build, lint, test ]
if: ${{ startsWith(github.ref, 'refs/tags/') }}
permissions:
contents: write

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This release job needs elevated permissions for this:

hub release create -d -m $tag_name $tag_name $files
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This is one thing I've really liked about zizmor in other projects... it encourages you to make such things explicit and scope them down narrowly.

All other jobs in this workflow should be able to work with just contents: read, this one needs contents: write.

Comment thread .github/workflows/ci.yml
steps:
- if: ${{ contains(matrix.os, 'windows') }}
uses: ilammy/msvc-dev-cmd@v1
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ci.yml didn't run because of this change.

The action ilammy/msvc-dev-cmd@0b201ec is not allowed in mozilla/sccache because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the patterns: ...

https://github.com/mozilla/sccache/actions/runs/28532952024

It doesn't show in that output, but I suspect you have a rule like ilammy/msvc-dev-cmd@v1 or similar in the repo (organization-wide) allowlist for third-party actions.

If you like the direction of this PR, then the choices for that list are:

  • use permissive ranges (ilammy/msvc-dev-cmd@*)
  • use commit SHAs (ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756) and update it manually whenever you want to bump versions of actions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant