Skip to content

CI: Harden GHA configuration#102

Merged
dstansby merged 8 commits into
matplotlib:mainfrom
tacaswell:harden_gha
Sep 27, 2025
Merged

CI: Harden GHA configuration#102
dstansby merged 8 commits into
matplotlib:mainfrom
tacaswell:harden_gha

Conversation

@tacaswell
Copy link
Copy Markdown
Member

@tacaswell tacaswell commented Jul 18, 2025

Apply recommended hardening steps including:

  • pinning to a SHA any actions used
  • not persisting the read token on checkout
  • setting the default permissions
  • adding a depandabot file for GHA

tacaswell added 7 commits July 17, 2025 21:01
@tacaswell
CI: pin actions by SHA
1658516 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: pin actions by SHA
662d2b2 
This eliminates the possibility of a tag being changed under
us.
@tacaswell
CI: auto-fix via zizmor
036f09c 
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
@tacaswell
CI: Restrict default permissions
a6db1fc 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: Restrict default permissions
391a4de 
Reduces risk of arbitrary code is run by attacker.
@tacaswell
CI: set permissions
0a5023c
@tacaswell
CI: add dependabot config file for GHA
ddd5ecb
QuLogic
QuLogic reviewed Jul 22, 2025
View reviewed changes
Comment thread .github/workflows/main.yaml Outdated
Comment thread .github/workflows/main.yaml
contents: write

steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown
Member

@QuLogic QuLogic Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not pinned.

Comment thread .github/workflows/codeql.yml
Copy link
Copy Markdown
Member

@QuLogic QuLogic Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No actions are pinned in this file.

@tacaswell
Copy link
Copy Markdown
Member Author

tacaswell commented Jul 22, 2025

The tool I used to find un-pinned actions (zizmor) does not flag the "official" action/xyz actions.

I suspect the logic is if someone manages to compromise GH there are more direct ways to cause trouble than funny side-band attacks via GHA.

@tacaswell @QuLogic
DOC: update version label
bd38cd9 
Co-authored-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
@QuLogic
Copy link
Copy Markdown
Member

QuLogic commented Jul 24, 2025

I think you need to run with the pedantic persona to catch those.

dstansby
dstansby approved these changes Sep 27, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@dstansby dstansby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since even without pinning the actions/* workflows this is an improvement, I will merge.

@dstansby dstansby merged commit 7d4746e into matplotlib:main Sep 27, 2025
3 checks passed
@tacaswell tacaswell deleted the harden_gha branch September 29, 2025 14:23
@tacaswell
Copy link
Copy Markdown
Member Author

tacaswell commented Sep 29, 2025

I think think broke things: https://github.com/matplotlib/mpl-brochure-site/actions/runs/18060765685/job/51396687512

@QuLogic
Copy link
Copy Markdown
Member

QuLogic commented Sep 29, 2025

Yes, it looks like it should have statuses permission, not the others: https://github.com/scientific-python/circleci-artifacts-redirector-action?tab=readme-ov-file#example-usage

@QuLogic QuLogic mentioned this pull request Sep 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@QuLogic QuLogic QuLogic left review comments

@dstansby dstansby dstansby approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tacaswell @QuLogic @dstansby