From e9d401ab2870be8ec2b3b7005a8b3d279cefca58 Mon Sep 17 00:00:00 2001 From: andrewpollack Date: Sun, 8 Jun 2025 08:12:37 -0700 Subject: [PATCH 1/3] security: run zizmor on GH actions, fix warnings * https://woodruffw.github.io/zizmor/audits/#artipacked. actions/checkout will by default persist git configuration for the duration of the workflow, which is not necessary in this case. --- .github/workflows/checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 1ce066c45..25c611486 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -6,6 +6,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Python dependencies uses: py-actions/py-dependency-install@v4 with: From 2dadd31ebd5f903f665fc6c7e4c46b91804d81e7 Mon Sep 17 00:00:00 2001 From: andrewpollack Date: Sun, 8 Jun 2025 08:16:10 -0700 Subject: [PATCH 2/3] security: add permissions section to correctness checks workflow --- .github/workflows/checks.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 25c611486..204552978 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -1,5 +1,9 @@ name: Correctness Checks on: [push, pull_request] + +permissions: + contents: read + jobs: Run-Markdown-Checks: runs-on: ubuntu-24.04 From f6a7af63b988b216e353eb42dc22249d445bda63 Mon Sep 17 00:00:00 2001 From: andrewpollack Date: Sun, 8 Jun 2025 08:19:08 -0700 Subject: [PATCH 3/3] security: pin version of py-actions/py-dependency-install Remeidates: https://docs.zizmor.sh/audits/#impostor-commit Version: https://github.com/py-actions/py-dependency-install/releases/tag/v4.0.0 --- .github/workflows/checks.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 204552978..a231ef4c4 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -6,6 +6,7 @@ permissions: jobs: Run-Markdown-Checks: + name: Run Markdown Checks runs-on: ubuntu-24.04 steps: - name: checkout @@ -13,7 +14,7 @@ jobs: with: persist-credentials: false - name: Install Python dependencies - uses: py-actions/py-dependency-install@v4 + uses: py-actions/py-dependency-install@9c419aa98bfb42280bdae2b0a736befd9b01e3b1 # v4 with: path: "tools/requirements.txt" update-pip: "false"