From c8ee1bfdcad7ee6b4fd79dd00074bd2fc54e8505 Mon Sep 17 00:00:00 2001 From: Hook25 Date: Fri, 20 Dec 2024 13:56:45 +0100 Subject: [PATCH 1/3] Do not persist credentials --- .github/workflows/black.yml | 2 ++ .github/workflows/checkbox-beta-release.yml | 3 +++ .github/workflows/checkbox-ce-oem-daily-build.yml | 1 + .github/workflows/checkbox-ce-oem-edge-builds.yml | 1 + .github/workflows/checkbox-core-snap-daily-builds.yml | 1 + .github/workflows/checkbox-promote-beta-to-candidate.yml | 2 ++ .github/workflows/checkbox-snap-daily-builds.yml | 1 + .github/workflows/checkbox-stable-release.yml | 3 +++ .github/workflows/checkbox-tics.yml | 4 +++- .github/workflows/daily-builds.yml | 1 + .github/workflows/deb-daily-builds.yml | 2 ++ .github/workflows/deb-sanity-builds.yml | 2 ++ .github/workflows/deb_validator.yaml | 2 ++ .github/workflows/dispatch_lab_job.yaml | 2 ++ .github/workflows/documentation-check.yml | 6 ++++++ .github/workflows/metabox.yaml | 3 +++ .github/workflows/pr_validation.yaml | 1 + .github/workflows/snapcraft8_builds.yaml | 4 ++++ .github/workflows/testflinger-contrib-dss-regression.yaml | 2 ++ .github/workflows/tox-checkbox-ng.yaml | 2 ++ .github/workflows/tox-checkbox-support.yaml | 2 ++ .github/workflows/tox-contrib-pc-sanity.yaml | 2 ++ .github/workflows/tox-contrib-provider-ce-oem.yaml | 2 ++ .github/workflows/tox-provider-base.yaml | 2 ++ .github/workflows/tox-provider-certification-client.yaml | 3 ++- .github/workflows/tox-provider-certification-server.yaml | 2 ++ .github/workflows/tox-provider-docker.yaml | 2 ++ .github/workflows/tox-provider-genio.yaml | 2 ++ .github/workflows/tox-provider-gpgpu.yaml | 2 ++ .github/workflows/tox-provider-iiotg.yaml | 2 ++ .github/workflows/tox-provider-resource.yaml | 2 ++ .github/workflows/tox-provider-sru.yaml | 2 ++ .github/workflows/tox-provider-tpm2.yaml | 2 ++ .github/workflows/tox-tools-release.yaml | 2 ++ 34 files changed, 72 insertions(+), 2 deletions(-) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index aebcadfc66..f1a089f67d 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: psf/black@stable with: options: "--check --diff --line-length 79 --extend-exclude '/vendor/'" diff --git a/.github/workflows/checkbox-beta-release.yml b/.github/workflows/checkbox-beta-release.yml index bf186ca40a..069237259d 100644 --- a/.github/workflows/checkbox-beta-release.yml +++ b/.github/workflows/checkbox-beta-release.yml @@ -25,6 +25,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Verify Promotion Conditions env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -43,6 +44,8 @@ jobs: sudo apt install -qq -y python3-launchpadlib - name: Checkout checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Copy deb packages from edge to beta ppa env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/checkbox-ce-oem-daily-build.yml b/.github/workflows/checkbox-ce-oem-daily-build.yml index e5a7ad0840..687a246303 100644 --- a/.github/workflows/checkbox-ce-oem-daily-build.yml +++ b/.github/workflows/checkbox-ce-oem-daily-build.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Check for commits id: commit_check env: diff --git a/.github/workflows/checkbox-ce-oem-edge-builds.yml b/.github/workflows/checkbox-ce-oem-edge-builds.yml index 550c4a7667..2d6f56a326 100644 --- a/.github/workflows/checkbox-ce-oem-edge-builds.yml +++ b/.github/workflows/checkbox-ce-oem-edge-builds.yml @@ -32,6 +32,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Add LP credentials run: | mkdir -p ~/.local/share/snapcraft/provider/launchpad/ diff --git a/.github/workflows/checkbox-core-snap-daily-builds.yml b/.github/workflows/checkbox-core-snap-daily-builds.yml index 7962184445..0c2aef8485 100644 --- a/.github/workflows/checkbox-core-snap-daily-builds.yml +++ b/.github/workflows/checkbox-core-snap-daily-builds.yml @@ -41,6 +41,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Copy over the common files for series ${{ matrix.releases }} run: | cd checkbox-core-snap/ diff --git a/.github/workflows/checkbox-promote-beta-to-candidate.yml b/.github/workflows/checkbox-promote-beta-to-candidate.yml index 1a09937056..8d84e89006 100644 --- a/.github/workflows/checkbox-promote-beta-to-candidate.yml +++ b/.github/workflows/checkbox-promote-beta-to-candidate.yml @@ -58,6 +58,8 @@ jobs: steps: - name: Checkout checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create job file (by instantiating template) id: create-job diff --git a/.github/workflows/checkbox-snap-daily-builds.yml b/.github/workflows/checkbox-snap-daily-builds.yml index 81d9f3b8ab..8ff31da6e6 100644 --- a/.github/workflows/checkbox-snap-daily-builds.yml +++ b/.github/workflows/checkbox-snap-daily-builds.yml @@ -40,6 +40,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Copy over the common files for series ${{ matrix.type }}${{ matrix.releases }} run: | cd checkbox-snap/ diff --git a/.github/workflows/checkbox-stable-release.yml b/.github/workflows/checkbox-stable-release.yml index 614634fbff..2451cfac4a 100644 --- a/.github/workflows/checkbox-stable-release.yml +++ b/.github/workflows/checkbox-stable-release.yml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies run: | which curl || (sudo apt update && sudo apt install curl -y) @@ -56,6 +57,8 @@ jobs: sudo apt install -qq -y python3-launchpadlib - name: Checkout checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Copy deb packages from testing to stable ppa env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/checkbox-tics.yml b/.github/workflows/checkbox-tics.yml index e41b6c7741..4134620ae6 100644 --- a/.github/workflows/checkbox-tics.yml +++ b/.github/workflows/checkbox-tics.yml @@ -4,7 +4,7 @@ on: schedule: - cron: '00 19 * * *' workflow_dispatch: - + permissions: contents: read @@ -14,6 +14,8 @@ jobs: environment: TICS steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | diff --git a/.github/workflows/daily-builds.yml b/.github/workflows/daily-builds.yml index f1caf5d610..e4e8373be5 100644 --- a/.github/workflows/daily-builds.yml +++ b/.github/workflows/daily-builds.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Check for commits id: commit_check env: diff --git a/.github/workflows/deb-daily-builds.yml b/.github/workflows/deb-daily-builds.yml index 97a71406a0..683d6bd411 100644 --- a/.github/workflows/deb-daily-builds.yml +++ b/.github/workflows/deb-daily-builds.yml @@ -25,6 +25,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: Wandalen/wretry.action/main@v3.4.0_js_action name: Make LP pull the monorepo env: @@ -69,6 +70,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: Wandalen/wretry.action/main@v3.4.0_js_action name: Update the recipe in the checkbox PPA env: diff --git a/.github/workflows/deb-sanity-builds.yml b/.github/workflows/deb-sanity-builds.yml index e5f5d34d53..210cca49e3 100644 --- a/.github/workflows/deb-sanity-builds.yml +++ b/.github/workflows/deb-sanity-builds.yml @@ -19,6 +19,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: Wandalen/wretry.action/main@v3.4.0_js_action name: Make LP pull the monorepo env: @@ -48,6 +49,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: Wandalen/wretry.action/main@v3.4.0_js_action name: Update the recipe in the checkbox PPA env: diff --git a/.github/workflows/deb_validator.yaml b/.github/workflows/deb_validator.yaml index 6cca5421f7..2a72999b1d 100644 --- a/.github/workflows/deb_validator.yaml +++ b/.github/workflows/deb_validator.yaml @@ -54,6 +54,8 @@ jobs: steps: - name: Checkout Checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false # needed by providers that pull checkbox-support - name: Install PPA and dependencies run: | diff --git a/.github/workflows/dispatch_lab_job.yaml b/.github/workflows/dispatch_lab_job.yaml index d01818f5d6..e3c0c53c7a 100644 --- a/.github/workflows/dispatch_lab_job.yaml +++ b/.github/workflows/dispatch_lab_job.yaml @@ -35,6 +35,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get current commit SHA id: get_sha diff --git a/.github/workflows/documentation-check.yml b/.github/workflows/documentation-check.yml index 151ae0cab7..028d27643d 100644 --- a/.github/workflows/documentation-check.yml +++ b/.github/workflows/documentation-check.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Aspell run: | @@ -57,6 +59,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: woke uses: get-woke/woke-action@v0 @@ -82,6 +86,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install the doc framework working-directory: docs/ diff --git a/.github/workflows/metabox.yaml b/.github/workflows/metabox.yaml index 8dcb480b06..ca5baf6918 100644 --- a/.github/workflows/metabox.yaml +++ b/.github/workflows/metabox.yaml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Use git diff to see if there are any changes in the metabox and checkbox-ng directories id: check_diff run: | @@ -51,6 +52,8 @@ jobs: steps: - name: Checkout Checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup LXD uses: canonical/setup-lxd@main - name: Add ZFS storage diff --git a/.github/workflows/pr_validation.yaml b/.github/workflows/pr_validation.yaml index 1109332ed6..1fac3e2b0d 100644 --- a/.github/workflows/pr_validation.yaml +++ b/.github/workflows/pr_validation.yaml @@ -32,6 +32,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies, Checkbox and providers run: | sudo apt install -y -qq python3 python3-venv jq libsystemd-dev diff --git a/.github/workflows/snapcraft8_builds.yaml b/.github/workflows/snapcraft8_builds.yaml index eb7462cd92..e32f586d71 100644 --- a/.github/workflows/snapcraft8_builds.yaml +++ b/.github/workflows/snapcraft8_builds.yaml @@ -41,6 +41,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Copy over the common files for series ${{ matrix.releases }} run: | cd checkbox-core-snap/ @@ -126,6 +127,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Copy over the common files for series ${{ matrix.type }}${{ matrix.releases }} run: | cd checkbox-snap/ @@ -201,6 +203,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Add LP credentials run: | mkdir -p ~/.local/share/snapcraft/ @@ -275,6 +278,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Add LP credentials run: | mkdir -p ~/.local/share/snapcraft/ diff --git a/.github/workflows/testflinger-contrib-dss-regression.yaml b/.github/workflows/testflinger-contrib-dss-regression.yaml index 5947150ab4..a3dbdd67ee 100644 --- a/.github/workflows/testflinger-contrib-dss-regression.yaml +++ b/.github/workflows/testflinger-contrib-dss-regression.yaml @@ -40,6 +40,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build job file from template run: | sed -e "s|REPLACE_BRANCH|${BRANCH}|" \ diff --git a/.github/workflows/tox-checkbox-ng.yaml b/.github/workflows/tox-checkbox-ng.yaml index 6c34bc44b5..221ee60b53 100644 --- a/.github/workflows/tox-checkbox-ng.yaml +++ b/.github/workflows/tox-checkbox-ng.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-checkbox-support.yaml b/.github/workflows/tox-checkbox-support.yaml index 56e6b82600..b76591aa3a 100644 --- a/.github/workflows/tox-checkbox-support.yaml +++ b/.github/workflows/tox-checkbox-support.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-contrib-pc-sanity.yaml b/.github/workflows/tox-contrib-pc-sanity.yaml index 54278147b1..96415890be 100644 --- a/.github/workflows/tox-contrib-pc-sanity.yaml +++ b/.github/workflows/tox-contrib-pc-sanity.yaml @@ -25,6 +25,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/tox-contrib-provider-ce-oem.yaml b/.github/workflows/tox-contrib-provider-ce-oem.yaml index cb4f7b48ff..e26600a4f1 100644 --- a/.github/workflows/tox-contrib-provider-ce-oem.yaml +++ b/.github/workflows/tox-contrib-provider-ce-oem.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-base.yaml b/.github/workflows/tox-provider-base.yaml index 160beb40fb..31a6c1088a 100644 --- a/.github/workflows/tox-provider-base.yaml +++ b/.github/workflows/tox-provider-base.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-certification-client.yaml b/.github/workflows/tox-provider-certification-client.yaml index 52941b1686..d64aca4326 100644 --- a/.github/workflows/tox-provider-certification-client.yaml +++ b/.github/workflows/tox-provider-certification-client.yaml @@ -32,11 +32,12 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of # expired/invalid/self-signed certificate. - - name: Workaround SSL Certificates manual verification for Python run: | curl --fail --silent --show-error https://pypi.python.org diff --git a/.github/workflows/tox-provider-certification-server.yaml b/.github/workflows/tox-provider-certification-server.yaml index d938612cce..521b66c12b 100644 --- a/.github/workflows/tox-provider-certification-server.yaml +++ b/.github/workflows/tox-provider-certification-server.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-docker.yaml b/.github/workflows/tox-provider-docker.yaml index 9475e0e164..6ea7bbbf78 100644 --- a/.github/workflows/tox-provider-docker.yaml +++ b/.github/workflows/tox-provider-docker.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-genio.yaml b/.github/workflows/tox-provider-genio.yaml index 291a148e19..750cf6382a 100644 --- a/.github/workflows/tox-provider-genio.yaml +++ b/.github/workflows/tox-provider-genio.yaml @@ -33,6 +33,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-gpgpu.yaml b/.github/workflows/tox-provider-gpgpu.yaml index 7418062a57..47b7a87825 100644 --- a/.github/workflows/tox-provider-gpgpu.yaml +++ b/.github/workflows/tox-provider-gpgpu.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-iiotg.yaml b/.github/workflows/tox-provider-iiotg.yaml index dbb9ee97ca..09a136b5c6 100644 --- a/.github/workflows/tox-provider-iiotg.yaml +++ b/.github/workflows/tox-provider-iiotg.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-resource.yaml b/.github/workflows/tox-provider-resource.yaml index b6538f6237..ed809b71cd 100644 --- a/.github/workflows/tox-provider-resource.yaml +++ b/.github/workflows/tox-provider-resource.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-sru.yaml b/.github/workflows/tox-provider-sru.yaml index 15892c1fc0..4374cc022f 100644 --- a/.github/workflows/tox-provider-sru.yaml +++ b/.github/workflows/tox-provider-sru.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-provider-tpm2.yaml b/.github/workflows/tox-provider-tpm2.yaml index c339f00e2b..a016c322db 100644 --- a/.github/workflows/tox-provider-tpm2.yaml +++ b/.github/workflows/tox-provider-tpm2.yaml @@ -32,6 +32,8 @@ jobs: tox_env_name: "py310" steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking # first that we can "curl" the hosts, since they will fail in case of diff --git a/.github/workflows/tox-tools-release.yaml b/.github/workflows/tox-tools-release.yaml index fd23f03f42..9697012e91 100644 --- a/.github/workflows/tox-tools-release.yaml +++ b/.github/workflows/tox-tools-release.yaml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v4 with: From cc5dc34026b7e8e96707865f35f0e977494dc1a5 Mon Sep 17 00:00:00 2001 From: Hook25 Date: Fri, 20 Dec 2024 13:57:06 +0100 Subject: [PATCH 2/3] Add zizmor scanning Minor: Fix checkbox->Checkbox --- .github/workflows/validate_workflows.yaml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate_workflows.yaml b/.github/workflows/validate_workflows.yaml index df40cdcb78..f38b94cfdd 100644 --- a/.github/workflows/validate_workflows.yaml +++ b/.github/workflows/validate_workflows.yaml @@ -10,8 +10,10 @@ jobs: name: Workflow validation runs-on: ubuntu-latest steps: - - name: Checkout checkbox monorepo + - name: Checkout Checkbox monorepo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install action-validator with asdf uses: asdf-vm/actions/install@v3 with: @@ -21,3 +23,21 @@ jobs: run: | find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) \ | xargs -I {} action-validator --verbose {} + workflow_vulnerability_scan: + name: Workflow vulnerability scanning + runs-on: ubuntu-latest + steps: + - name: Checkout Checkbox monorepo + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: Install zizmor from crates.io + uses: baptiste0928/cargo-install@v3 + with: + crate: zizmor + version: '0.10.0' + - name: Scan all workflows + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + zizmor $(ls .github/workflows/*.{yaml,yml}) From bb5ee97173efba83aac041ece60a93ec0f3f02c4 Mon Sep 17 00:00:00 2001 From: Hook25 Date: Fri, 20 Dec 2024 14:05:39 +0100 Subject: [PATCH 3/3] Update codecov action to v5 This was done in response to a vulnerability: codecov has a branch that is v3 and a tag, so any commit to the v3 branch can steal the token potentially --- .github/workflows/tox-checkbox-ng.yaml | 2 +- .github/workflows/tox-checkbox-support.yaml | 2 +- .github/workflows/tox-contrib-pc-sanity.yaml | 2 +- .github/workflows/tox-contrib-provider-ce-oem.yaml | 2 +- .github/workflows/tox-provider-base.yaml | 2 +- .github/workflows/tox-provider-certification-client.yaml | 2 +- .github/workflows/tox-provider-certification-server.yaml | 2 +- .github/workflows/tox-provider-genio.yaml | 2 +- .github/workflows/tox-provider-gpgpu.yaml | 2 +- .github/workflows/tox-provider-iiotg.yaml | 2 +- .github/workflows/tox-provider-resource.yaml | 2 +- .github/workflows/tox-provider-sru.yaml | 2 +- .github/workflows/tox-tools-release.yaml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tox-checkbox-ng.yaml b/.github/workflows/tox-checkbox-ng.yaml index 221ee60b53..ac8f851f8f 100644 --- a/.github/workflows/tox-checkbox-ng.yaml +++ b/.github/workflows/tox-checkbox-ng.yaml @@ -54,7 +54,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: checkbox-ng diff --git a/.github/workflows/tox-checkbox-support.yaml b/.github/workflows/tox-checkbox-support.yaml index b76591aa3a..9962919e4d 100644 --- a/.github/workflows/tox-checkbox-support.yaml +++ b/.github/workflows/tox-checkbox-support.yaml @@ -58,7 +58,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: checkbox-support diff --git a/.github/workflows/tox-contrib-pc-sanity.yaml b/.github/workflows/tox-contrib-pc-sanity.yaml index 96415890be..958d6c6e16 100644 --- a/.github/workflows/tox-contrib-pc-sanity.yaml +++ b/.github/workflows/tox-contrib-pc-sanity.yaml @@ -36,7 +36,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: pc-sanity diff --git a/.github/workflows/tox-contrib-provider-ce-oem.yaml b/.github/workflows/tox-contrib-provider-ce-oem.yaml index e26600a4f1..99e05be712 100644 --- a/.github/workflows/tox-contrib-provider-ce-oem.yaml +++ b/.github/workflows/tox-contrib-provider-ce-oem.yaml @@ -58,7 +58,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: contrib-provider-ce-oem diff --git a/.github/workflows/tox-provider-base.yaml b/.github/workflows/tox-provider-base.yaml index 31a6c1088a..accd5ecb6c 100644 --- a/.github/workflows/tox-provider-base.yaml +++ b/.github/workflows/tox-provider-base.yaml @@ -58,7 +58,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-base diff --git a/.github/workflows/tox-provider-certification-client.yaml b/.github/workflows/tox-provider-certification-client.yaml index d64aca4326..8f1eb313da 100644 --- a/.github/workflows/tox-provider-certification-client.yaml +++ b/.github/workflows/tox-provider-certification-client.yaml @@ -54,7 +54,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-certification-client diff --git a/.github/workflows/tox-provider-certification-server.yaml b/.github/workflows/tox-provider-certification-server.yaml index 521b66c12b..736053c751 100644 --- a/.github/workflows/tox-provider-certification-server.yaml +++ b/.github/workflows/tox-provider-certification-server.yaml @@ -54,7 +54,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-certification-server diff --git a/.github/workflows/tox-provider-genio.yaml b/.github/workflows/tox-provider-genio.yaml index 750cf6382a..ce6b911956 100644 --- a/.github/workflows/tox-provider-genio.yaml +++ b/.github/workflows/tox-provider-genio.yaml @@ -59,7 +59,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-genio diff --git a/.github/workflows/tox-provider-gpgpu.yaml b/.github/workflows/tox-provider-gpgpu.yaml index 47b7a87825..aae3819e82 100644 --- a/.github/workflows/tox-provider-gpgpu.yaml +++ b/.github/workflows/tox-provider-gpgpu.yaml @@ -58,7 +58,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-gpgpu diff --git a/.github/workflows/tox-provider-iiotg.yaml b/.github/workflows/tox-provider-iiotg.yaml index 09a136b5c6..df4d2208fc 100644 --- a/.github/workflows/tox-provider-iiotg.yaml +++ b/.github/workflows/tox-provider-iiotg.yaml @@ -54,7 +54,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-iiotg diff --git a/.github/workflows/tox-provider-resource.yaml b/.github/workflows/tox-provider-resource.yaml index ed809b71cd..fbf48a7e6d 100644 --- a/.github/workflows/tox-provider-resource.yaml +++ b/.github/workflows/tox-provider-resource.yaml @@ -58,7 +58,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-resource diff --git a/.github/workflows/tox-provider-sru.yaml b/.github/workflows/tox-provider-sru.yaml index 4374cc022f..5803fdf2b1 100644 --- a/.github/workflows/tox-provider-sru.yaml +++ b/.github/workflows/tox-provider-sru.yaml @@ -54,7 +54,7 @@ jobs: - name: Run tox run: tox -e${{ matrix.tox_env_name }} - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: provider-sru diff --git a/.github/workflows/tox-tools-release.yaml b/.github/workflows/tox-tools-release.yaml index 9697012e91..2b1198ac35 100644 --- a/.github/workflows/tox-tools-release.yaml +++ b/.github/workflows/tox-tools-release.yaml @@ -31,7 +31,7 @@ jobs: - name: Run tox run: tox -e py310 - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@v5 with: token: ${{ secrets.CODECOV_TOKEN }} flags: release-tools