chore: integrate zizmor pre-commit hook and fix workflows with findings

eclipse-csi · Dec 9, 2024 · 3f0c52e · 3f0c52e
1 parent 495b004
commit 3f0c52e
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 7 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -27,6 +27,8 @@ jobs:
           - '3.11'
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: ${{ matrix.python-version }}
@@ -58,6 +60,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: ${{ env.LATEST_PY_VERSION }}

diff --git a/.github/workflows/generate-sbom.yml b/.github/workflows/generate-sbom.yml
@@ -23,6 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{ github.event.inputs.version }}
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -32,6 +32,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
@@ -44,17 +45,20 @@ jobs:
       - name: "Setup context"
         id: context
         shell: bash
+        env:
+          REF: ${{ github.ref }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          if [[ "${{ github.ref }}" =~ ^refs/heads/.* ]]; then
-            echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          if [[ "${REF}" =~ ^refs/heads/.* ]]; then
+            echo "RELEASE_TAG=${REF_NAME}" >> $GITHUB_OUTPUT
             # extract the current version from the pyproject.toml and replace .devN with -SNAPSHOT
             VERSION=$(poetry version -s | sed 's/.dev[0-9]*/-SNAPSHOT/')
             echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
             PROJECT_VERSION=$(poetry version -s)
             echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_OUTPUT
           else
-            echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_OUTPUT
-            VERSION=$(echo ${{ github.ref_name }} | sed 's/v//')
+            echo "RELEASE_TAG=${REF_NAME}" >> $GITHUB_OUTPUT
+            VERSION=$(echo ${REF_NAME} | sed 's/v//')
             echo "RELEASE_VERSION=$VERSION" >> $GITHUB_OUTPUT
             echo "PROJECT_VERSION=$VERSION" >> $GITHUB_OUTPUT
           fi
@@ -67,6 +71,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           ref: ${{ needs.release.outputs.release-tag }}
 
       - name: "Log in to the Container registry"
@@ -105,6 +110,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{ needs.prepare.outputs.release-tag }}
 
@@ -156,6 +162,8 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: "Download dists"
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,9 +26,12 @@ jobs:
     steps:
       - name: "Check ref"
         shell: bash
+        env:
+          REF: ${{ github.ref }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
-            echo "Release shall only be made from 'main' branch, triggered branch '${{ github.ref_name }}', aborting."
+          if [ "${REF}" != "refs/heads/main" ]; then
+            echo "Release shall only be made from 'main' branch, triggered branch '${REF_NAME}', aborting."
             exit 1
           fi
 
@@ -44,6 +47,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: true
           ref: ${{ github.ref }}
 
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0

diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml
@@ -15,7 +15,6 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
       id-token: write
 
     steps:

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,4 @@
+rules:
+  excessive-permissions:
+    ignore:
+      - scorecard-analysis.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -25,6 +25,11 @@ repos:
     rev: v0.10.0.1
     hooks:
     -   id: shellcheck
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v0.8.0
+    hooks:
+      - id: zizmor
+        args: [ --min-severity, low ]
   - repo: https://github.com/netomi/dash-hooks
     rev: v0.2.0
     hooks: