[pre-commit.ci] pre-commit autoupdate #3991
Conversation
![pre-commit-ci[bot]](https://avatars.githubusercontent.com/in/68672?s=60&v=4){kind=small}
updates: - [github.com/woodruffw/zizmor-pre-commit: v1.5.2 → v1.11.0](zizmorcore/zizmor-pre-commit@v1.5.2...v1.11.0)
Done using https://github.com/suzuki-shunsuke/pinact. Only pinning non-official GitHub Actions workflows not covered by default policy in https://docs.zizmor.sh/audits/#unpinned-uses. See also https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
| -DCMAKE_INSTALL_PREFIX=%GMT_INSTALL_DIR% ^ | ||
| -DCMAKE_BUILD_TYPE=Release ^ | ||
| -DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^ | ||
| -DCMAKE_PREFIX_PATH=%MAMBA_ROOT_PREFIX%\envs\pygmt\Library ^ |
There was a problem hiding this comment.
Zizmor was complaining that this line was vulnerable to code template injection:
help[template-injection]: code injection via template expansion
--> .github/workflows/ci_tests_dev.yaml:134:37
|
126 | run: |
| --- help: this run block
127 | cd gmt/
...
133 | -DCMAKE_BUILD_TYPE=Release ^
134 | -DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^
| --------------------- help: may expand into attacker-controllable code
|
= note: audit confidence → High
= note: this finding has an auto-fix
The env.MAMBA_ROOT_PREFIX variable set in #2773 could simply be set as %MAMBA_ROOT_PREFIX% if I'm not mistaken, since we're not passing this variable via the env context, though it is set as MAMBA_ROOT_PREFIX: C:\Users\runneradmin\micromamba in https://github.com/GenericMappingTools/pygmt/actions/runs/16129619616/job/45514313791?pr=3991#step:8:18, probably from the setup-micromamba step?
Can you verify that this makes sense @seisman, given your comment on -DCMAKE_PREFIX_PATH at #2773 (comment)?
| # Install Micromamba with conda-forge dependencies | ||
| - name: Setup Micromamba | ||
| uses: mamba-org/setup-micromamba@v2.0.5 | ||
| uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2.0.5 |
There was a problem hiding this comment.
I've used pinact to convert the tags to hash values, only for non-official GitHub Actions (i.e. actions/checkout still uses the tags). Let me know if you prefer to pin the hashes for the official GitHub Actions workflows too.
There was a problem hiding this comment.
Did you make the changes manually and do we have to update the hashes manually next time?
There was a problem hiding this comment.
No, I just ran pinact run, and it retrieved the hashes automatically.
Edit: There is also a verify option using pinact run --verify if you want to check that the hashes are ok.
There was a problem hiding this comment.
I meant do we need to run pinact run manually next time?
There was a problem hiding this comment.
Oh no, we don't need to because dependabot can update the SHA hash, as well as the # vX.Y.Z version tag comment at the end, see dependabot/dependabot-core#4691
seisman
added
maintenance
* [pre-commit.ci] pre-commit autoupdate * Pin GitHub Actions to full length commit SHA * Set MAMBA_ROOT_PREFIX env var properly on Windows GMT build --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Wei Ji <23487320+weiji14@users.noreply.github.com>
updates: