-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit GHA workflows with zizmor #7624
base: main
Are you sure you want to change the base?
Conversation
This is an insecure default on GitHub that increases the chances of credential leakage. <https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/>
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7624 +/- ##
==========================================
- Coverage 92.83% 92.83% -0.01%
==========================================
Files 106 106
Lines 17748 17748
==========================================
- Hits 16477 16476 -1
- Misses 1271 1272 +1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that the workflow was copied from the zizmor docs so that one is fine. Were the other changes things that zizmor suggested to do to remove security vulnerabilities? Anyway, this looks ok to me, even though I know nothing of security vulnerabilities in GHA.
Excellent question! Thanks for checking this so thoroughly. For the discrepancies, I'm following hynek, the author of structlog. Here's his workflow. I just tried to pick the best from both. For anyone from the future looking back on this, the differences are not substantial, so there should be no barrier to using the pure zizmor workflow. |
Description
This should reduce the chance that we do something dangerous with GHA that might lead to a compromise of the repo.
Mirrors pymc-devs/pytensor#1136
Checklist
Type of change
📚 Documentation preview 📚: https://pymc--7624.org.readthedocs.build/en/7624/