From 208f83acd9632b3d7d009bc8eba679d8e5ac4af5 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 20:56:35 -0400 Subject: [PATCH 1/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d7d6d29..a0df8dc 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -28,7 +28,7 @@ jobs: with: path: ~/conda_pkgs_dir key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{ hashFiles('ci/environment-py${{ matrix.python-version }}.yml') }} - - uses: conda-incubator/setup-miniconda@v3 + - uses: conda-incubator/setup-miniconda@505e6394dae86d6a5c7fbb6e3fb8938e3e863830 # v3 with: # mamba-version: "*" # activate this to build with mamba. python-version: ${{ matrix.python-version }} @@ -48,7 +48,7 @@ jobs: run: | pytest --cov=./ --cov-report=xml - name: Upload code coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: file: ./coverage.xml flags: unittests From 049d726da6f6ecd230273f0bf47e1bbea8d41d7a Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 22:02:39 -0400 Subject: [PATCH 2/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index def820f..d3d3705 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -25,4 +25,4 @@ jobs: - name: Publish to PyPI if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 From 53b3959bb174fbe90e482bad776ce41a981586f1 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:07:50 -0400 Subject: [PATCH 3/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/codeql.yml | 2 ++ .github/workflows/release.yaml | 2 ++ .github/workflows/test.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b5caf0d..7864cc9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d3d3705..2e0dd07 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,6 +15,8 @@ jobs: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 - name: Install dependencies run: | diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a0df8dc..7df3e41 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,6 +20,8 @@ jobs: python-version: ["3.8", "3.9", "3.10"] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache conda uses: actions/cache@v4 env: From 452165cf124ff887b73eb38af61d92b6fbd4ebed Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:25:00 -0400 Subject: [PATCH 4/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7df3e41..1539342 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,4 +1,6 @@ name: Tests +permissions: + contents: read on: push: branches: