Skip to content

Commit cf9d109

Browse files
mstoclaude
andcommitted
chore: address Zizmor security findings in GHA workflows
Fixes #285 - persist-credentials: false on all actions/checkout steps (artipacked). - Top-level permissions: {} in publish_fgpyo.yml and wheels.yml, with per-job least-privilege scoping (contents: read for reading jobs, permissions: {} for reusable-workflow callers). - Disabled setup-uv cache in tests.yml (cache-poisoning). The dangerous-triggers finding in readthedocs.yml is deferred to #283, which removes that workflow entirely. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent b8dcaa2 commit cf9d109

3 files changed

Lines changed: 22 additions & 1 deletion

File tree

.github/workflows/publish_fgpyo.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,13 @@ on:
44
push:
55
tags: '[0-9]+.[0-9]+.[0-9]+'
66

7+
permissions: {}
8+
79
jobs:
810
on-main-branch-check:
911
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1014
outputs:
1115
on_main: ${{ steps.contains_tag.outputs.retval }}
1216
steps:
@@ -21,6 +25,7 @@ jobs:
2125
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2226
with:
2327
fetch-depth: 0
28+
persist-credentials: false
2429

2530
- uses: rickstaa/action-contains-tag@a9ff27d505ba2bf074a2ebb48b208e76d35ff308 # v1.2.10
2631
id: contains_tag
@@ -32,22 +37,27 @@ jobs:
3237
name: tests
3338
needs: on-main-branch-check
3439
if: ${{ needs.on-main-branch-check.outputs.on_main == 'true' }}
40+
permissions: {}
3541
uses: "./.github/workflows/tests.yml"
3642

3743
build-wheels:
3844
name: build wheels
3945
needs: tests
46+
permissions: {}
4047
uses: "./.github/workflows/wheels.yml"
4148

4249
build-sdist:
4350
name: build source distribution
4451
needs: tests
4552
runs-on: ubuntu-latest
53+
permissions:
54+
contents: read
4655
steps:
4756
- name: Checkout
4857
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4958
with:
5059
fetch-depth: 0
60+
persist-credentials: false
5161

5262
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
5363
with:
@@ -86,6 +96,8 @@ jobs:
8696
make-changelog:
8797
runs-on: ubuntu-latest
8898
needs: publish-to-pypi
99+
permissions:
100+
contents: read
89101
outputs:
90102
release_body: ${{ steps.git-cliff.outputs.content }}
91103
steps:
@@ -94,6 +106,7 @@ jobs:
94106
with:
95107
fetch-depth: 0
96108
ref: ${{ github.ref_name }}
109+
persist-credentials: false
97110

98111
- name: Generate a Changelog
99112
uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4.7.1

.github/workflows/tests.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,15 @@ jobs:
2424
steps:
2525
- name: Checkout
2626
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27+
with:
28+
persist-credentials: false
2729

2830
- name: Install uv
2931
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
3032
with:
3133
version: "${{ env.UV_VERSION }}"
3234
python-version: "${{ matrix.PYTHON_VERSION }}"
33-
enable-cache: 'true'
35+
enable-cache: false
3436
cache-suffix: "${{ matrix.PYTHON_VERSION }}"
3537

3638
- name: Install dependencies

.github/workflows/wheels.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,17 +8,23 @@ on:
88
env:
99
UV_VERSION: 0.8.22
1010

11+
permissions: {}
12+
1113
jobs:
1214
build-wheels:
1315
name: Build wheels for ${{ matrix.PYTHON_VERSION }}
1416
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
1519
strategy:
1620
matrix:
1721
PYTHON_VERSION: ["3.10", "3.11", "3.12", "3.13"]
1822

1923
steps:
2024
- name: Checkout
2125
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
with:
27+
persist-credentials: false
2228

2329
- name: Install uv
2430
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0

0 commit comments

Comments
 (0)