From b728aa23231f354c1f7fa267fb9affc240436f6c Mon Sep 17 00:00:00 2001 From: Samuel Giddins Date: Thu, 19 Dec 2024 10:01:51 -0800 Subject: [PATCH] Stop persisting credentials in github actions checkouts Fixes findings from [zizmor](https://github.com/woodruffw/zizmor) Signed-off-by: Samuel Giddins --- .github/workflows/codeql.yml | 2 ++ .github/workflows/docker.yml | 5 ++++- .github/workflows/lint.yml | 12 +++++++++++- .github/workflows/scorecards.yml | 2 +- .github/workflows/test.yml | 2 ++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5fefb153bc2..9f46f516a60 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,6 +42,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 92c1333e8f0..fd203f735a0 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,7 +7,6 @@ on: - oidc-api-tokens permissions: contents: read - id-token: write jobs: build: @@ -16,8 +15,12 @@ jobs: env: RUBYGEMS_VERSION: "3.6.1" RUBY_VERSION: "3.3.6" + permissions: + id-token: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # master diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 914ebd02cdf..ae98b7cf767 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf # v1.204.0 with: bundler-cache: true @@ -23,6 +25,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf # v1.204.0 with: bundler-cache: true @@ -33,6 +37,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf # v1.204.0 with: bundler-cache: true @@ -51,6 +57,8 @@ jobs: - name: login to Github Packages run: echo "${{ github.token }}" | docker login https://ghcr.io -u ${GITHUB_ACTOR} --password-stdin - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: ruby/setup-ruby@401c19e14f474b54450cd3905bb8b86e2c8509cf # v1.204.0 with: bundler-cache: true @@ -74,7 +82,9 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: segiddins/frizbee-action@c162fdaa6c73525a577d2d6eb193683dfc9ba2be # segiddins/run-in-place + with: + persist-credentials: false + - uses: stacklok/frizbee-action@71e8bd2bfd0063f7175e66837157087c713cd785 # main env: GITHUB_TOKEN: ${{ github.token }} with: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 658375bd7aa..72ecab9fd38 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -10,7 +10,7 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '22 4 * * 2' + - cron: "22 4 * * 2" # push: # branches: [ "master" ] diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f0a7a2e4705..7bdae5d988f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,6 +50,8 @@ jobs: BUNDLE_PACKAGER__DEV: ${{ secrets.BUNDLE_PACKAGER__DEV }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Setup rubygems.org uses: ./.github/actions/setup-rubygems.org