CI: add zizmor security scanning for GitHub Actions workflows#31457
CI: add zizmor security scanning for GitHub Actions workflows#31457Aniketsy wants to merge 11 commits into
zizmor security scanning for GitHub Actions workflows#31457Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
Similar to how you added the top-level permissions: {} in .github/workflows/zizmor.yml, that would be useful in this file (and in all other files as well).
There was a problem hiding this comment.
Eh, why? This isn't needed in any other files
There was a problem hiding this comment.
I suggested it for consistency with all files and hygiene reasons – just felt odd that one file has permissions: {} at the top level and others don't. Also, permissions: {} is stricter than contents: read, and it's helpful to have for those jobs that don't need to check out user code, such as the labeler, Mypy primer, etc.
There was a problem hiding this comment.
It shouldn't be consistent though, mypy_primer_comment and labeler are special. There's no need to add a lot more churn to change nothing in actual permissions in other yaml files.
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
|
@agriyakhetarpal thanks for the review ❤️ |
| permissions: | ||
| security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. | ||
| contents: read # Only needed for private repos. Needed to clone the repo. | ||
| actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. |
There was a problem hiding this comment.
These two lines can be removed it looks like, given that this is not a private repo.
| uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 | ||
| with: | ||
| inputs: .github/ | ||
| persona: pedantic |
There was a problem hiding this comment.
Please make this regular (or, equivalently, remove the line completely). pedantic isn't all that useful, and sometimes annoying - "pedantic" has a negative connotation for a reason.
| @@ -0,0 +1,5 @@ | |||
| rules: | |||
| dangerous-triggers: | |||
There was a problem hiding this comment.
I suggest to remove this, in favor of a # zizmor: ignore[dangerous-triggers] comment in these two workflow files themselves, with a short justification ("safe: no PR-head checkout, no code execution, only pull-requests: write").
These workflows are currently safe, but there's not a single indication that there's a potential issue there, and future changes to those files can always happen, so a local warning is good.
Plus, it avoids having to update this separate config file in case the line number changes.
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: ["**"] |
There was a problem hiding this comment.
The usual pattern is:
branches:
- main
- maintenance/**| permissions: | ||
| pull-requests: write # to add labels | ||
| contents: read # to read .github/pr-prefix-labeler.yml | ||
| issues: write # to add labels |
There was a problem hiding this comment.
This isn't what this action does, it only labels PRs. So I don't think this can be right - please remove this last line.
| steps: | ||
| - name: Extract warnings | ||
| shell: bash | ||
| env: |
There was a problem hiding this comment.
I don't mind these changes, but for clarity: there was no issue here.
There was a problem hiding this comment.
please let me know , if we should revert these changes
|
@rgommers thanks for the review 😊 , and sharing pointers, i'll look into the ci- failures shortly. |
|
Still need to make Zizmor pass: Approved, since everything seems to be in place, other than those fixes. |
|
i've fixed the errors we were getting , do we need to worry about warning? |
The warnings look legitimate, so I'd say so. |
|
@jorenham I'm not able to see ci-fail log, do you have any idea for this . |
|
Yes, Zizmor is passing now: https://github.com/numpy/numpy/actions/runs/26234123656/job/77202376754?pr=31457. Thanks! Assuming that the macOS x86-64 conda py3.12 job is what you meant, apparently it just froze while running the test suite; probably a case of GitHub acting up... |
| - name: Setup MSVC (32-bit) | ||
| if: ${{ matrix.buildplat[1] == 'win32' }} | ||
| uses: bus1/cabuild/action/msdevshell@e22aba57d6e74891d059d66501b6b5aed8123c4d # v1 | ||
| uses: bus1/cabuild/action/msdevshell@06ea2833eef61e9b0d0ce0d728416e617e4fb1fe # v1 |
There was a problem hiding this comment.
Did you manually review all code changes between these SHAs? If not, you shouldn't bump the pin, that defeats part of the purpose of pinning.
There was a problem hiding this comment.
Did you manually review all code changes between these SHAs?
no, should i look into this, or revert back changes, i updated as we were getting warning of mismatch sha commit
| # There are few options for i686 images at https://quay.io/organization/pypa, | ||
| # use the glibc2.28 one | ||
| image: quay.io/pypa/manylinux_2_28_i686 | ||
| image: quay.io/pypa/manylinux_2_28_i686@sha256:817099eabdaf534fd802079ed185b62b97f1fc5e7027db9a14fd7540931819b9 |
There was a problem hiding this comment.
Pinning Docker images is something we haven't done before. It's a tradeoff; there are benefits too, but unless Dependabot bumps these similarly to other pins, it'll probably go out of date. Did you check if those bumps will happen?
There was a problem hiding this comment.
but unless Dependabot bumps these similarly to other pins, it'll probably go out of date.
yes, i agree
Did you check if those bumps will happen?
i'll look into this.
There was a problem hiding this comment.
@Aniketsy just a gentle ping, would be nice to resolve this and get this in!
There was a problem hiding this comment.
@seberg yes, sorry for the delay 😿 , i'll update today , i need to verify and review the code between sha as per review point.
|
i have resolved conflict of this file any thoughts on this ? |
|
7 participants
PR summary
zizmorin the github actions workflow, initial discussion was with @jorenham 😊 and then we had discussion in thenumpycommunity meeting with other members.First time committer introduction
No, i've contributed before in numpy
AI Disclosure
zizmorlocally and rest i've followed from mynumtypepr to addzizmor