Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve security of our GitHub Actions #18413

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Improve security of our GitHub Actions #18413

wants to merge 16 commits into from
+43 −17

Conversation

sobolevn
Copy link
Member

@sobolevn sobolevn commented Jan 2, 2025

Recently CPython introduced this new tool: https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67

Which finds different security related problems with GitHub Actions.

I added this tool to our .pre-commit-config.yaml and followed all its recommendations.

Changes:

@sobolevn
Copy link
Member Author

sobolevn commented Jan 2, 2025

CC @hugovk

A5rocks
A5rocks suggested changes Jan 3, 2025
View reviewed changes
.github/workflows/sync_typeshed.yml Outdated Show resolved Hide resolved
@sobolevn sobolevn requested a review from AlexWaygood January 3, 2025 08:36
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
AlexWaygood
AlexWaygood reviewed Jan 3, 2025
View reviewed changes
Copy link
Member

@AlexWaygood AlexWaygood left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, this overall looks great! I'm not familiar with the workflow_call/workflow_run distinction, though, so I haven't looked closely at that. (It looks reasonable, though.)

Another change you might want to make is to list shellcheck as an additional_dependency of actionlint -- I made this change to Ruff's pre-commit config: https://github.com/astral-sh/ruff/blob/0837cdd9314cb9ee1df087142af975d492e3e7ba/.pre-commit-config.yaml#L103-L121. actionlint's shellcheck integration is very useful (it grabs the shell-script strings in GitHub Actions run: steps and passes them to shellcheck), but it's not enabled by default when actionlint is run as part of pre-commit, as actionlint's shellcheck integration only works if shellcheck is already installed.

.github/workflows/build_wheels.yml Show resolved Hide resolved
.github/workflows/mypy_primer.yml Outdated Show resolved Hide resolved
.github/workflows/sync_typeshed.yml Outdated Show resolved Hide resolved
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@sobolevn sobolevn mentioned this pull request Jan 4, 2025
Closed
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 8, 2025

According to mypy_primer, this change doesn't affect type check results on a corpus of open source code. ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexWaygood AlexWaygood AlexWaygood left review comments

@cdce8p cdce8p cdce8p left review comments

@webknjaz webknjaz webknjaz left review comments

@A5rocks A5rocks A5rocks requested changes

@hauntsaninja hauntsaninja Awaiting requested review from hauntsaninja

@JelleZijlstra JelleZijlstra Awaiting requested review from JelleZijlstra

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sobolevn @webknjaz @cdce8p @A5rocks @AlexWaygood