From 9cda2de2adb0c1df40d90b073e470985ca348d97 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Wed, 16 Jul 2025 17:12:38 -0400 Subject: [PATCH] chore: lint gh actions with zizmor (#4062) Signed-off-by: Will Murphy --- .github/actions/bootstrap/action.yaml | 5 ++- .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/detect-schema-changes.yaml | 6 ++++ .github/workflows/release-version-file.yaml | 9 +++++ .github/workflows/release.yaml | 35 +++++++++++++------ .../remove-awaiting-response-label.yaml | 4 +++ .../workflows/test-fixture-cache-publish.yaml | 6 +++- .../workflows/update-anchore-dependencies.yml | 2 ++ .github/workflows/update-bootstrap-tools.yml | 2 ++ .../workflows/update-cpe-dictionary-index.yml | 2 ++ .../workflows/validate-github-actions.yaml | 35 +++++++++++++++++++ .github/workflows/validations.yaml | 20 ++++++++++- .github/zizmor.yml | 11 ++++++ 13 files changed, 126 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/validate-github-actions.yaml create mode 100644 .github/zizmor.yml diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml index 176a67a98..4b1d4ede5 100644 --- a/.github/actions/bootstrap/action.yaml +++ b/.github/actions/bootstrap/action.yaml @@ -55,8 +55,11 @@ runs: - name: Install apt packages if: inputs.bootstrap-apt-packages != '' shell: bash + env: + APT_PACKAGES: ${{ inputs.bootstrap-apt-packages }} run: | - DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }} + IFS=' ' read -ra packages <<< "$APT_PACKAGES" + DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}" - name: Restore ORAS cache from github actions if: inputs.download-test-fixture-cache == 'true' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2a36b21ec..f83bfb668 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 #v5.5.0 diff --git a/.github/workflows/detect-schema-changes.yaml b/.github/workflows/detect-schema-changes.yaml index d69f1820c..ee3607f63 100644 --- a/.github/workflows/detect-schema-changes.yaml +++ b/.github/workflows/detect-schema-changes.yaml @@ -28,9 +28,15 @@ jobs: label: name: "Label changes" runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: write + issues: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - run: python .github/scripts/labeler.py env: diff --git a/.github/workflows/release-version-file.yaml b/.github/workflows/release-version-file.yaml index 434bfb437..53eb03ad2 100644 --- a/.github/workflows/release-version-file.yaml +++ b/.github/workflows/release-version-file.yaml @@ -14,13 +14,22 @@ on: type: string description: release version to update the version file with (prefixed with v) required: true + secrets: + TOOLBOX_AWS_ACCESS_KEY_ID: + required: true + TOOLBOX_AWS_SECRET_ACCESS_KEY: + required: true jobs: release: runs-on: ubuntu-24.04 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Update version file run: make ci-release-version-file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 68745bd35..c28863f49 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Check if running on main if: github.ref != 'refs/heads/main' @@ -28,8 +30,10 @@ jobs: - name: Check if tag already exists # note: this will fail if the tag already exists run: | - [[ "${{ github.event.inputs.version }}" == v* ]] || (echo "version '${{ github.event.inputs.version }}' does not have a 'v' prefix" && exit 1) - git tag ${{ github.event.inputs.version }} + [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1) + git tag "$VERSION" + env: + VERSION: ${{ github.event.inputs.version }} - name: Check static analysis results uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 @@ -87,13 +91,20 @@ jobs: - name: Quality gate if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' + env: + STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }} + UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }} + INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }} + ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }} + ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }} + CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }} run: | - echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}" - echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}" - echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}" - echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" - echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" - echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}" + echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS" + echo "Unit Test Status: $UNIT_TEST_STATUS" + echo "Integration Test Status: $INTEGRATION_TEST_STATUS" + echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS" + echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS" + echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS" false release: @@ -108,6 +119,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -129,10 +141,11 @@ jobs: run: | git config --global user.name "anchoreci" git config --global user.email "anchoreci@users.noreply.github.com" - git tag -a ${{ github.event.inputs.version }} -m "Release ${{ github.event.inputs.version }}" + git tag -a "$VERSION" -m "Release $VERSION" git push origin --tags env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ github.event.inputs.version }} - name: Build & publish release artifacts run: make ci-release @@ -169,4 +182,6 @@ jobs: uses: ./.github/workflows/release-version-file.yaml with: version: ${{ github.event.inputs.version }} - secrets: inherit + secrets: + TOOLBOX_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} + TOOLBOX_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/remove-awaiting-response-label.yaml b/.github/workflows/remove-awaiting-response-label.yaml index 0f3b50c4f..cb27571ef 100644 --- a/.github/workflows/remove-awaiting-response-label.yaml +++ b/.github/workflows/remove-awaiting-response-label.yaml @@ -6,6 +6,10 @@ on: jobs: run: + permissions: + contents: read + issues: write + pull-requests: write uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main" secrets: token: ${{ secrets.OSS_PROJECT_GH_TOKEN }} diff --git a/.github/workflows/test-fixture-cache-publish.yaml b/.github/workflows/test-fixture-cache-publish.yaml index 21288ecbc..9b2d403a5 100644 --- a/.github/workflows/test-fixture-cache-publish.yaml +++ b/.github/workflows/test-fixture-cache-publish.yaml @@ -20,6 +20,8 @@ jobs: packages: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -34,7 +36,9 @@ jobs: DOWNLOAD_TEST_FIXTURE_CACHE: "false" - name: Login to GitHub Container Registry (ORAS) - run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u ${{ github.actor }} --password-stdin + run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin + env: + ACTOR: ${{ github.actor }} - name: Publish test fixture cache run: make upload-test-fixture-cache diff --git a/.github/workflows/update-anchore-dependencies.yml b/.github/workflows/update-anchore-dependencies.yml index bf0a3d190..62527ad34 100644 --- a/.github/workflows/update-anchore-dependencies.yml +++ b/.github/workflows/update-anchore-dependencies.yml @@ -16,6 +16,8 @@ jobs: if: github.repository_owner == 'anchore' # only run for main repo (not forks) steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap diff --git a/.github/workflows/update-bootstrap-tools.yml b/.github/workflows/update-bootstrap-tools.yml index d4c1f62f7..fbdbee2a7 100644 --- a/.github/workflows/update-bootstrap-tools.yml +++ b/.github/workflows/update-bootstrap-tools.yml @@ -14,6 +14,8 @@ jobs: if: github.repository == 'anchore/syft' # only run for main repo steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap diff --git a/.github/workflows/update-cpe-dictionary-index.yml b/.github/workflows/update-cpe-dictionary-index.yml index 8263d2ccb..773c788ef 100644 --- a/.github/workflows/update-cpe-dictionary-index.yml +++ b/.github/workflows/update-cpe-dictionary-index.yml @@ -17,6 +17,8 @@ jobs: if: github.repository == 'anchore/syft' # only run for main repo steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml new file mode 100644 index 000000000..d7d951045 --- /dev/null +++ b/.github/workflows/validate-github-actions.yaml @@ -0,0 +1,35 @@ +name: "Validate GitHub Actions" + +on: + pull_request: + paths: + - '.github/workflows/**' + - '.github/actions/**' + push: + branches: + - main + paths: + - '.github/workflows/**' + - '.github/actions/**' + +permissions: + contents: read + +jobs: + zizmor: + name: "Lint" + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write # for uploading SARIF results + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run zizmor" + uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1 + with: + config-file: .github/zizmor.yml + sarif-upload: true + inputs: .github diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index 910444a66..0927b1dbe 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -18,6 +18,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -33,6 +35,8 @@ jobs: runs-on: ubuntu-22.04-4core-16gb steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -49,6 +53,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -67,6 +73,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -100,6 +108,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -155,6 +165,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -198,9 +210,11 @@ jobs: runs-on: macos-latest steps: - name: Install Cosign - uses: sigstore/cosign-installer@v3.9.1 + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -238,6 +252,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Bootstrap environment uses: ./.github/actions/bootstrap @@ -276,6 +292,8 @@ jobs: - Upload-Snapshot-Artifacts steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Delete snapshot cache run: gh cache delete "snapshot-build-${{ github.run_id }}" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..5e92012af --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +rules: + unpinned-uses: + ignore: + # Allow unpinned uses of trusted internal anchore/workflows actions + - update-anchore-dependencies.yml + + dangerous-triggers: + ignore: + # Safe use of pull_request_target - only runs trusted scripts from base repo, + # never checks out PR code, needs secrets for labeling PRs from forks + - detect-schema-changes.yaml