Apply security fixes to GitHub Actions by hugovk · Pull Request #8526 · python-pillow/Pillow
There's a new tool that flags potential security issues in GitHub Actions workflows: https://github.com/woodruffw/zizmor
Details
❯ zizmor . 🌈 completed cifuzz.yml 🌈 completed release-drafter.yml 🌈 completed stale.yml 🌈 completed docs.yml 🌈 completed test-valgrind.yml 🌈 completed test-windows.yml 🌈 completed test-mingw.yml 🌈 completed test-docker.yml 🌈 completed lint.yml 🌈 completed test.yml 🌈 completed test-cygwin.yml 🌈 completed wheels.yml error[excessive-permissions]: overly broad workflow or job-level permissions --> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1 | 8 | / permissions: 9 | | issues: write | |_______________^ issues: write is overly broad at the workflow level | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/docs.yml:35:7 | 35 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-valgrind.yml:42:7 | 42 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:45:7 | 45 | - name: Checkout Pillow | _______- 46 | | uses: actions/checkout@v4 | |_______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:48:7 | 48 | - name: Checkout cached dependencies | _______- 49 | | uses: actions/checkout@v4 50 | | with: 51 | | repository: python-pillow/pillow-depends 52 | | path: winbuild\depends | |______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-windows.yml:54:7 | 54 | - name: Checkout extra test images | _______- 55 | | uses: actions/checkout@v4 ... | 59 | | 60 | | # sets env: pythonLocation | |______________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-mingw.yml:47:9 | 47 | - name: Checkout Pillow | _________- 48 | | uses: actions/checkout@v4 | |_________________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-docker.yml:67:7 | 67 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/lint.yml:23:7 | 23 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test.yml:65:7 | 65 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/test-cygwin.yml:49:9 | 49 | - name: Checkout Pillow | _________- 50 | | uses: actions/checkout@v4 | |_________________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:62:9 | 62 | - uses: actions/checkout@v4 | _________- 63 | | with: 64 | | submodules: true | |__________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:255:7 | 255 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:133:9 | 133 | - uses: actions/checkout@v4 | _________- 134 | | with: 135 | | submodules: true | |__________________________- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:175:9 | 175 | - uses: actions/checkout@v4 | ------------------------- does not set persist-credentials: false | warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/hugo/github/Pillow/.github/workflows/wheels.yml:177:9 | 177 | - name: Checkout extra test images | _________- 178 | | uses: actions/checkout@v4 179 | | with: 180 | | repository: python-pillow/test-images 181 | | path: Tests\test-images | |_________________________________- does not set persist-credentials: false | 16 findings (0 unknown, 0 informational, 0 low, 15 medium, 1 high)
Some of these could be ignored, like:
error[excessive-permissions]: overly broad workflow or job-level permissions
--> /Users/hugo/github/Pillow/.github/workflows/stale.yml:8:1
|
8 | / permissions:
9 | | issues: write
| |_______________^ issues: write is overly broad at the workflow level
Because there's only one job in this workflow, so it only applies there. But it's easy enough to silence the error and means if we add another job later then we're covered.