From 2f159d68bfba66fde8e65e631cc647c20ee28df3 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 22:44:53 -0400 Subject: [PATCH 1/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/docs.yml | 4 ++-- .github/workflows/main.yml | 6 +++--- .github/workflows/release.yml | 2 +- .github/workflows/update_galata_references.yaml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 46b6c636..0fe4cce0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Conda environment with Micromamba - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: environment-file: dev-environment.yml - name: Install @@ -21,7 +21,7 @@ jobs: run: make -C docs html - name: Publish if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/_build/html diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 82ab3e04..1c056714 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v4 - name: Install Conda environment with Micromamba - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: environment-file: dev-environment.yml @@ -66,7 +66,7 @@ jobs: uses: actions/checkout@v4 - name: Install Conda environment with Micromamba - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: environment-file: dev-environment.yml create-args: >- @@ -134,7 +134,7 @@ jobs: # https://github.com/pymmcore-plus/pymmcore-widgets/blob/5e233384e223ca00101ef4b741d3c525a5cff9c9/.github/workflows/cron.yml#L49 - name: Report Failures if: failure() && github.event_name == 'schedule' - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OS: ${{ matrix.os }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d924c414..a1f78ca0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Conda environment with Micromamba - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: environment-name: ipympl-release create-args: >- diff --git a/.github/workflows/update_galata_references.yaml b/.github/workflows/update_galata_references.yaml index 4070260a..61ca9a92 100644 --- a/.github/workflows/update_galata_references.yaml +++ b/.github/workflows/update_galata_references.yaml @@ -36,7 +36,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install Conda environment with Micromamba - uses: mamba-org/setup-micromamba@v2 + uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: environment-file: dev-environment.yml create-args: >- From 1372889564e2b00a6d4b89ca825ffa6a84b09a96 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:08:18 -0400 Subject: [PATCH 2/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/docs.yml | 2 ++ .github/workflows/main.yml | 4 ++++ .github/workflows/release.yml | 2 ++ .github/workflows/update_galata_references.yaml | 1 + 4 files changed, 9 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0fe4cce0..f9301079 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Conda environment with Micromamba uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1c056714..8e4204f6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Conda environment with Micromamba uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 @@ -64,6 +66,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Conda environment with Micromamba uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a1f78ca0..558558b4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install Conda environment with Micromamba uses: mamba-org/setup-micromamba@b09ef9b599704322748535812ca03efb2625677b # v2 diff --git a/.github/workflows/update_galata_references.yaml b/.github/workflows/update_galata_references.yaml index 61ca9a92..b047c887 100644 --- a/.github/workflows/update_galata_references.yaml +++ b/.github/workflows/update_galata_references.yaml @@ -29,6 +29,7 @@ jobs: uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false - name: Checkout the branch from the PR that triggered the job run: gh pr checkout ${{ github.event.issue.number }} From 6ae6dc5c9feaa5c1e9e16b6e6644a48396152b4f Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:22:38 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/binder-on-pr.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/main.yml | 2 ++ .github/workflows/release.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/binder-on-pr.yml b/.github/workflows/binder-on-pr.yml index 8fc5b8f8..5ac88070 100644 --- a/.github/workflows/binder-on-pr.yml +++ b/.github/workflows/binder-on-pr.yml @@ -1,5 +1,7 @@ # Reference https://mybinder.readthedocs.io/en/latest/howto/gh-actions-badges.html name: Binder Badge +permissions: + contents: read on: pull_request_target: types: [opened] diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f9301079..ed6fec00 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Docs +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8e4204f6..4dc09f93 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,6 @@ name: Tests +permissions: + contents: read on: push: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 558558b4..3c95ced8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,6 @@ name: Publish Package +permissions: + contents: read on: release: From fa8f3d4193cdb1adb89e905e37b88ab96e1c4718 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:51 -0400 Subject: [PATCH 4/4] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..fc9f8550 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly