From c51390f634bb9ad743e793f258988eb2cf1d5f04 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 20:57:00 -0400 Subject: [PATCH 1/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 49a479d..9d3275c 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -22,7 +22,7 @@ jobs: run: make -Cdocs singlehtml - name: Publish if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/build/singlehtml From 07d3dbf4dff03036337696768ee2ecba1038132b Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:07:03 -0400 Subject: [PATCH 2/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/black.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/release.yml | 1 + .github/workflows/ruff.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 5 files changed, 9 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index 9fa9012..680fd46 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9d3275c..43506ee 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,6 +8,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Set up Python 3.10" uses: actions/setup-python@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5540fe..7ce07a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 10 + persist-credentials: false - name: Set up Python id: setup diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 61501e6..875ec66 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -7,6 +7,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 9bb728a..13c13ea 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: From 91ff851078669e83ceb09b16f7ca84112883e0c0 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:19:36 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/black.yml | 2 ++ .github/workflows/docs.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/ruff.yml | 2 ++ .github/workflows/testing.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index 680fd46..a1d761c 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,4 +1,6 @@ name: Check Code Style - BLACK +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 43506ee..c2dc529 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Docs +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ce07a2..22e1c95 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,8 @@ --- name: Release +permissions: + contents: read on: release: types: diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml index 875ec66..94d0929 100644 --- a/.github/workflows/ruff.yml +++ b/.github/workflows/ruff.yml @@ -1,4 +1,6 @@ name: Check Code Style - ruff +permissions: + contents: read on: [push, pull_request] diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 13c13ea..4fa56c3 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Unit Tests +permissions: + contents: read on: [push, pull_request] From 2bef1c3972012e07247f6b3c31649e21df5b040a Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:34:38 -0400 Subject: [PATCH 4/4] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly