Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit GHA workflows with zizmor #7624

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Audit GHA workflows with zizmor #7624

wants to merge 5 commits into from

Conversation

maresb
Copy link
Contributor

@maresb maresb commented Dec 22, 2024

Description

This should reduce the chance that we do something dangerous with GHA that might lead to a compromise of the repo.

Mirrors pymc-devs/pytensor#1136

Checklist

Type of change

  • New feature / enhancement
  • Bug fix
  • Documentation
  • Maintenance
  • Other (please specify):

📚 Documentation preview 📚: https://pymc--7624.org.readthedocs.build/en/7624/

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@maresb
Copy link
Contributor Author

maresb commented Dec 22, 2024

CC also @wd60622 regarding 93681ed

@maresb maresb mentioned this pull request Dec 22, 2024
9 tasks
Copy link

codecov bot commented Dec 22, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.83%. Comparing base (5d51953) to head (1120951).
Report is 2 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #7624      +/-   ##
==========================================
- Coverage   92.83%   92.83%   -0.01%     
==========================================
  Files         106      106              
  Lines       17748    17748              
==========================================
- Hits        16477    16476       -1     
- Misses       1271     1272       +1     

see 1 file with indirect coverage changes

Copy link
Contributor

@lucianopaz lucianopaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the workflow was copied from the zizmor docs so that one is fine. Were the other changes things that zizmor suggested to do to remove security vulnerabilities? Anyway, this looks ok to me, even though I know nothing of security vulnerabilities in GHA.

@maresb
Copy link
Contributor Author

maresb commented Dec 23, 2024

I see that the workflow was copied from the zizmor docs so that one is fine. Were the other changes things that zizmor suggested to do to remove security vulnerabilities? Anyway, this looks ok to me, even though I know nothing of security vulnerabilities in GHA.

Excellent question! Thanks for checking this so thoroughly. For the discrepancies, I'm following hynek, the author of structlog. Here's his workflow. I just tried to pick the best from both. For anyone from the future looking back on this, the differences are not substantial, so there should be no barrier to using the pure zizmor workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants