search

python-pillow / Pillow

Python Imaging Library (Fork)
https://python-pillow.org
Other
12.32k stars 2.23k forks source link

Apply security fixes to GitHub Actions #8526

Closed hugovk closed 2 weeks ago

hugovk commented 2 weeks ago

There's a new tool that flags potential security issues in GitHub Actions workflows: https://github.com/woodruffw/zizmor

Details ```console ❯ zizmor . 🌈 completed cifuzz.yml 🌈 completed release-drafter.yml 🌈 completed stale.yml 🌈 completed docs.yml 🌈 completed test-valgrind.yml 🌈 completed test-windows.yml 🌈 completed test-mingw.yml 🌈 completed test-docker.yml 🌈 completed lint.yml 🌈 completed test.yml 🌈 completed test-cygwin.yml 🌈 completed wheels.yml error[excessive-permissions]: overly broad workflow or job-level permissions --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1 | 8 | / permissions: 9 | | issues: write | |_______________^ issues: write is overly broad at the workflow level | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/docs.yml:35:7 | 35 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-valgrind.yml:42:7 | 42 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:45:7 | 45 | - name: Checkout Pillow | _______- 46 | | uses: actions/checkout@v4 | |_______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:48:7 | 48 | - name: Checkout cached dependencies | _______- 49 | | uses: actions/checkout@v4 50 | | with: 51 | | repository: python-pillow/pillow-depends 52 | | path: winbuild\depends | |______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:54:7 | 54 | - name: Checkout extra test images | _______- 55 | | uses: actions/checkout@v4 ... | 59 | | 60 | | # sets env: pythonLocation | |______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-mingw.yml:47:9 | 47 | - name: Checkout Pillow | _________- 48 | | uses: actions/checkout@v4 | |_________________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-docker.yml:67:7 | 67 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/lint.yml:23:7 | 23 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test.yml:65:7 | 65 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-cygwin.yml:49:9 | 49 | - name: Checkout Pillow | _________- 50 | | uses: actions/checkout@v4 | |_________________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:62:9 | 62 | - uses: actions/checkout@v4 | _________- 63 | | with: 64 | | submodules: true | |__________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:255:7 | 255 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:133:9 | 133 | - uses: actions/checkout@v4 | _________- 134 | | with: 135 | | submodules: true | |__________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:175:9 | 175 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:177:9 | 177 | - name: Checkout extra test images | _________- 178 | | uses: actions/checkout@v4 179 | | with: 180 | | repository: python-pillow/test-images 181 | | path: Tests\test-images | |_________________________________- does not set persist-credentials: false | 16 findings (0 unknown, 0 informational, 0 low, 15 medium, 1 high) ```

Some of these could be ignored, like:

error[excessive-permissions]: overly broad workflow or job-level permissions
 --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
  |
8 | / permissions:
9 | |   issues: write
  | |_______________^ issues: write is overly broad at the workflow level

Because there's only one job in this workflow, so it only applies there. But it's easy enough to silence the error and means if we add another job later then we're covered.

Yay295 commented 2 weeks ago

relevant issue: https://github.com/actions/checkout/issues/485