Skip to content

Commit 0397b95

Browse files
tim-schillingtim-schilling
committed
Adjustments based on zizmor security analysis
- Pin all third-party actions to full-length commit SHAs instead of tags - Add `persist-credentials: false` to all actions/checkout steps to prevent credential exposure - Add explicit permissions declarations - Pin mariadb Docker image to specific version (11.8) instead of using floating `latest` tag - Replace template expressions with environment variables where possible
1 parent 0b4446f commit 0397b95

File tree

3 files changed

+23
-8
lines changed

3 files changed

+23
-8
lines changed

.github/workflows/coverage.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
name: Post coverage comment
33

44
on:
5-
workflow_run:
5+
workflow_run: # zizmor: ignore[dangerous-triggers] - This follows GitHub's recommended pattern for posting PR comments from untrusted forks
66
workflows: ["Test"]
77
types:
88
- completed
@@ -27,7 +27,7 @@ jobs:
2727
# DO NOT run actions/checkout here, for security reasons
2828
# For details, refer to https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
2929
- name: Post comment
30-
uses: py-cov-action/python-coverage-comment-action@v3
30+
uses: py-cov-action/python-coverage-comment-action@6494290850a5098c2836298dad8f11082b4ceaa9 # v3
3131
with:
3232
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3333
GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}

.github/workflows/release.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
22

33
on: push
44

5+
permissions: {}
6+
57
env:
68
PYPI_URL: https://pypi.org/p/django-debug-toolbar
79
PYPI_TEST_URL: https://test.pypi.org/p/django-debug-toolbar
@@ -14,6 +16,8 @@ jobs:
1416

1517
steps:
1618
- uses: actions/checkout@v5
19+
with:
20+
persist-credentials: false
1721
- name: Set up Python
1822
uses: actions/setup-python@v6
1923
with:
@@ -48,7 +52,7 @@ jobs:
4852
name: python-package-distributions
4953
path: dist/
5054
- name: Publish distribution 📦 to PyPI
51-
uses: pypa/gh-action-pypi-publish@release/v1.13
55+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13
5256

5357
github-release:
5458
name: >-
@@ -69,7 +73,7 @@ jobs:
6973
name: python-package-distributions
7074
path: dist/
7175
- name: Sign the dists with Sigstore
72-
uses: sigstore/gh-action-sigstore-python@v3.1.0
76+
uses: sigstore/gh-action-sigstore-python@f832326173235dcb00dd5d92cd3f353de3188e6c # v3.1.0
7377
with:
7478
inputs: >-
7579
./dist/*.tar.gz
@@ -79,7 +83,7 @@ jobs:
7983
GITHUB_TOKEN: ${{ github.token }}
8084
run: >-
8185
gh release create
82-
'${{ github.ref_name }}'
86+
'${GITHUB_REF_NAME}'
8387
--repo '${{ github.repository }}'
8488
--notes ""
8589
- name: Upload artifact signatures to GitHub Release
@@ -90,7 +94,7 @@ jobs:
9094
# sigstore-produced signatures and certificates.
9195
run: >-
9296
gh release upload
93-
'${{ github.ref_name }}' dist/**
97+
'${GITHUB_REF_NAME}' dist/**
9498
--repo '${{ github.repository }}'
9599
96100
publish-to-testpypi:
@@ -114,7 +118,7 @@ jobs:
114118
name: python-package-distributions
115119
path: dist/
116120
- name: Publish distribution 📦 to TestPyPI
117-
uses: pypa/gh-action-pypi-publish@release/v1.13
121+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1.13
118122
with:
119123
repository-url: https://test.pypi.org/legacy/
120124
skip-existing: true

.github/workflows/test.yml

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
# Run weekly on Saturday
88
- cron: '37 3 * * SAT'
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
mysql:
1215
runs-on: ubuntu-latest
@@ -18,7 +21,7 @@ jobs:
1821

1922
services:
2023
mariadb:
21-
image: mariadb
24+
image: mariadb:11.8
2225
env:
2326
MARIADB_ROOT_PASSWORD: debug_toolbar
2427
options: >-
@@ -31,6 +34,8 @@ jobs:
3134

3235
steps:
3336
- uses: actions/checkout@v5
37+
with:
38+
persist-credentials: false
3439

3540
- name: Set up Python ${{ matrix.python-version }}
3641
uses: actions/setup-python@v6
@@ -118,6 +123,8 @@ jobs:
118123
119124
steps:
120125
- uses: actions/checkout@v5
126+
with:
127+
persist-credentials: false
121128

122129
- name: Set up Python ${{ matrix.python-version }}
123130
uses: actions/setup-python@v6
@@ -167,6 +174,8 @@ jobs:
167174

168175
steps:
169176
- uses: actions/checkout@v5
177+
with:
178+
persist-credentials: false
170179

171180
- name: Set up Python ${{ matrix.python-version }}
172181
uses: actions/setup-python@v6
@@ -206,6 +215,8 @@ jobs:
206215

207216
steps:
208217
- uses: actions/checkout@v5
218+
with:
219+
persist-credentials: false
209220

210221
- name: Set up Python ${{ matrix.python-version }}
211222
uses: actions/setup-python@v6

0 commit comments

Comments
 (0)