Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve security of our GitHub Actions #18413

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
7 changes: 4 additions & 3 deletions .github/workflows/build_wheels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ on:
branches: [main, master, 'release*']
tags: ['*']

permissions:
contents: write

jobs:
build-wheels:
if: github.repository == 'python/mypy'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: true # needed to push tags
sobolevn marked this conversation as resolved.
Show resolved Hide resolved
- uses: actions/setup-python@v5
with:
python-version: '3.11'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:
VERIFY_MYPY_ERROR_CODES: 1
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
sobolevn marked this conversation as resolved.
Show resolved Hide resolved
- uses: actions/setup-python@v5
with:
python-version: '3.12'
Expand Down
5 changes: 1 addition & 4 deletions .github/workflows/mypy_primer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ jobs:
mypy_primer:
name: Run mypy_primer
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
shard-index: [0, 1, 2, 3, 4]
Expand All @@ -38,6 +36,7 @@ jobs:
with:
path: mypy_to_test
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.12"
Expand Down Expand Up @@ -93,8 +92,6 @@ jobs:
name: Join artifacts
runs-on: ubuntu-latest
needs: [mypy_primer]
permissions:
contents: read
steps:
- name: Merge artifacts
uses: actions/upload-artifact/merge@v4
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/mypy_primer_comment.yml
sobolevn marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
name: Comment with mypy_primer diff
sobolevn marked this conversation as resolved.
Show resolved Hide resolved

on:
on: # zizmor: ignore[dangerous-triggers]
workflow_run:
workflows:
- Run mypy_primer
types:
- completed

permissions:
contents: read
pull-requests: write

jobs:
comment:
name: Comment PR from mypy_primer
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Download diffs
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/sync_typeshed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,22 @@ on:
schedule:
- cron: "0 0 1,15 * *"

sobolevn marked this conversation as resolved.
Show resolved Hide resolved
permissions:
contents: write
pull-requests: write
permissions: {}

jobs:
sync_typeshed:
name: Sync typeshed
if: github.repository == 'python/mypy'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: true # needed to `git push` the PR branch
# TODO: use whatever solution ends up working for
# https://github.com/python/typeshed/issues/8434
- uses: actions/setup-python@v5
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Debug build
if: ${{ matrix.debug_build }}
Expand Down Expand Up @@ -217,6 +219,8 @@ jobs:
CC: i686-linux-gnu-gcc
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install 32-bit build dependencies
run: |
sudo dpkg --add-architecture i386 && \
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test_stubgenc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ jobs:
steps:

- uses: actions/checkout@v4
with:
persist-credentials: false

- name: Setup 🐍 3.9
uses: actions/setup-python@v5
Expand Down
24 changes: 20 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,39 @@ repos:
- id: black
exclude: '^(test-data/)'
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.8.4
rev: v0.8.6
hooks:
- id: ruff
args: [--exit-non-zero-on-fix]
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.30.0
rev: 0.31.0
hooks:
- id: check-dependabot
- id: check-github-workflows
- id: check-github-actions
- id: check-readthedocs
- repo: https://github.com/rhysd/actionlint
rev: v1.7.4
rev: v1.7.6
hooks:
- id: actionlint
args: [
-ignore=property "debug_build" is not defined,
-ignore=property "allow_failure" is not defined,
-ignore=SC2(046|086),
]
additional_dependencies:
# actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions
# and checks these with shellcheck. This is arguably its most useful feature,
# but the integration only works if shellcheck is installed
- "github.com/wasilibs/go-shellcheck/cmd/[email protected]"
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v1.0.1
hooks:
- id: zizmor
# Should be the last one:
- repo: meta
hooks:
- id: check-hooks-apply
- id: check-useless-excludes

ci:
autoupdate_schedule: quarterly
2 changes: 1 addition & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ branding:
runs:
using: composite
steps:
- name: mypy setup
- name: mypy setup # zizmor: ignore[template-injection]
shell: bash
run: |
echo ::group::Installing mypy...
Expand Down
Loading