chore: add zizmor to repo checks#3837
Conversation
Zizmor is tool that analyzes github actions and checks for security vulnerabilities. Running it as part of pre-commit, and part of CI, will help ensure that we don't accidentally make changes that lead to a security vulnerability.
github-actions
bot
added
the
needs release notes
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
github-actions
bot
removed
the
needs release notes
|
lots of problems flagged by https://results.pre-commit.ci/run/github/48049137/1774469227.KlX2i8ypRcKQhbh3voSldQ, I will now fix them |
.github/workflows/gpu_test.yml
Outdated
| # CODECOV_TOKEN is a low-sensitivity upload token, not a deploy key. | ||
| # Using an environment would gate every test run behind approval/deployment UI. | ||
| token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env] |
There was a problem hiding this comment.
we can have OIDC with codecov IIRC, which would work without a token. We can also use environments that do not need reviews. I just made the release env review-required because I thought it was a good idea.
There was a problem hiding this comment.
see #3837 (comment). I looked into setting up OIDC for codecov and I didn't get it 🙃 lmk if you know how it works.
| # pull_request_target is needed to label PRs from forks. | ||
| # This workflow only runs actions/labeler (no code checkout), so it's safe. |
There was a problem hiding this comment.
Just to note, the permissions in this workflow do not distinguish between writing code and labels, it's just a "write" permission. We could rethink the value of this labeler vs. a pre-release check for meaningful release notes for every commit if we want to be extra safe, or just leave this.
|
@maxrjones giving codecov its own environment creates notification spam (see screenshot below), so I'm going to revert that change. 
|
Use |
thank you @weiji14 that's great |
Adds environments back to codecov and nightly wheel uploads, but this time with deployment: false, which ensures that these workflows don't generate a lot of notifications on github.
3 participants
Zizmor is tool that analyzes github actions and checks for security vulnerabilities.
Running it as part of pre-commit, and part of CI, will help ensure that we don't accidentally
make changes that lead to a security vulnerability.
edit: closes #3834