Commit a511114
committed
CI: use best security practices suggested by
See https://github.com/zizmorcore/zizmor
* https://docs.zizmor.sh/audits/#artipacked
* https://docs.zizmor.sh/audits/#excessive-permissions
```console
$ GH_TOKEN=$gh_auth_token zizmor -p kaitai-io/ksy_schema
INFO collect_inputs: zizmor: collected 1 inputs from kaitai-io/ksy_schema
INFO zizmor::registry: skipping forbidden-uses: audit not configured
INFO audit: zizmor: 🌈 completed .github/workflows/check.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/check.yml:15:9
|
15 | - name: Check out ksy_schema
| _________-
16 | | uses: actions/checkout@v4
17 | | with:
18 | | path: ksy_schema
| |__________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/check.yml:24:9
|
24 | - name: Check out compiler
| _________-
25 | | uses: actions/checkout@v4
26 | | with:
27 | | repository: kaitai-io/kaitai_struct_compiler
28 | | path: compiler
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
= note: this finding has an auto-fix
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/check.yml:1:1
|
1 | / name: Check
2 | |
... |
47 | | run: |
48 | | git diff --color=always --no-index --exit-code -- ksy_schema/encodings.json compiler/encodings.json
| |______________________________________________________________________________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/check.yml:10:3
|
10 | / check-encodings:
11 | | name: Check that the encoding list is up-to-date with KSC
... |
47 | | run: |
48 | | git diff --color=always --no-index --exit-code -- ksy_schema/encodings.json compiler/encodings.json
| | -
| |______________________________________________________________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
(...)
5 findings: 0 unknown, 0 informational, 0 low, 4 medium, 1 high
```
Note: there is still one unresolved issue left - https://docs.zizmor.sh/audits/#unpinned-uses
```console
$ GH_TOKEN=$gh_auth_token zizmor -p .github/workflows/check.yml
INFO zizmor::registry: skipping forbidden-uses: audit not configured
INFO audit: zizmor: 🌈 completed .github/workflows/check.yml
error[unpinned-uses]: unpinned action reference
--> .github/workflows/check.yml:40:9
|
40 | - uses: sbt/setup-sbt@v1
| ^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
|
= note: audit confidence → High
1 finding: 0 unknown, 0 informational, 0 low, 0 medium, 1 high
```
But I've decided to ignore it for now, because once we apply this, we
should have some kind of infrastructure to ensure that we don't quickly
fall out of date. Besides, this is common practice. The only problem
with it is that you have to trust that the repository with the action
won't be compromised.zizmor
1 parent 7339847 commit a511114
1 file changed
+6
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
12 | 14 | | |
| 15 | + | |
| 16 | + | |
13 | 17 | | |
14 | 18 | | |
15 | 19 | | |
16 | 20 | | |
17 | 21 | | |
| 22 | + | |
18 | 23 | | |
19 | 24 | | |
20 | 25 | | |
| |||
24 | 29 | | |
25 | 30 | | |
26 | 31 | | |
| 32 | + | |
27 | 33 | | |
28 | 34 | | |
29 | 35 | | |
| |||
0 commit comments