From 2cb0bf5d4154c8fefe03d1dca394fc5e1d778a97 Mon Sep 17 00:00:00 2001 From: Simon Alibert <75076266+aliberts@users.noreply.github.com> Date: Sat, 15 Feb 2025 15:50:10 +0100 Subject: [PATCH] Add zizmor pre-commit (#732) --- .github/workflows/build-docker-images.yml | 12 ++++++++++++ .github/workflows/nightly-tests.yml | 2 ++ .github/workflows/quality.yml | 14 +++++++++++--- .github/workflows/test-docker-build.yml | 10 +++++++++- .github/workflows/test.yml | 5 +++++ .github/workflows/trufflehog.yml | 5 +++-- .pre-commit-config.yaml | 4 ++++ 7 files changed, 46 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index f20de978..3c63fa11 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -8,6 +8,8 @@ on: schedule: - cron: "0 1 * * *" +permissions: {} + env: PYTHON_VERSION: "3.10" @@ -25,11 +27,14 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + cache-binary: false - name: Check out code uses: actions/checkout@v4 with: lfs: true + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v3 @@ -60,11 +65,14 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + cache-binary: false - name: Check out code uses: actions/checkout@v4 with: lfs: true + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v3 @@ -89,9 +97,13 @@ jobs: steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + cache-binary: false - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@v3 diff --git a/.github/workflows/nightly-tests.yml b/.github/workflows/nightly-tests.yml index bbee19a1..210a690c 100644 --- a/.github/workflows/nightly-tests.yml +++ b/.github/workflows/nightly-tests.yml @@ -7,6 +7,8 @@ on: schedule: - cron: "0 2 * * *" +permissions: {} + # env: # SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }} jobs: diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 6acc901e..f26fc1ed 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -8,6 +8,8 @@ on: branches: - main +permissions: {} + env: PYTHON_VERSION: "3.10" @@ -17,7 +19,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 @@ -45,7 +49,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install poetry run: pipx install "poetry<2.0.0" @@ -59,7 +65,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install poetry run: pipx install "poetry<2.0.0" diff --git a/.github/workflows/test-docker-build.yml b/.github/workflows/test-docker-build.yml index 08a3ab08..0d95427f 100644 --- a/.github/workflows/test-docker-build.yml +++ b/.github/workflows/test-docker-build.yml @@ -8,6 +8,8 @@ on: # Run only when DockerFile files are modified - "docker/**" +permissions: {} + env: PYTHON_VERSION: "3.10" @@ -20,6 +22,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -34,7 +38,7 @@ jobs: env: ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} run: | - echo "matrix=${{ steps.changed-files.outputs.all_changed_files}}" >> $GITHUB_OUTPUT + echo "matrix=${ALL_CHANGED_FILES}" >> $GITHUB_OUTPUT build_modified_dockerfiles: @@ -50,9 +54,13 @@ jobs: steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + with: + cache-binary: false - name: Check out code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build Docker image uses: docker/build-push-action@v5 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc567418..1b0853ad 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,6 +22,8 @@ on: - "Makefile" - ".cache/**" +permissions: {} + jobs: pytest: name: Pytest @@ -32,6 +34,7 @@ jobs: - uses: actions/checkout@v4 with: lfs: true # Ensure LFS files are pulled + persist-credentials: false - name: Install apt dependencies # portaudio19-dev is needed to install pyaudio @@ -72,6 +75,7 @@ jobs: - uses: actions/checkout@v4 with: lfs: true # Ensure LFS files are pulled + persist-credentials: false - name: Install apt dependencies run: sudo apt-get update && sudo apt-get install -y ffmpeg @@ -108,6 +112,7 @@ jobs: - uses: actions/checkout@v4 with: lfs: true # Ensure LFS files are pulled + persist-credentials: false - name: Install apt dependencies # portaudio19-dev is needed to install pyaudio diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml index d1dddab7..487ccea5 100644 --- a/.github/workflows/trufflehog.yml +++ b/.github/workflows/trufflehog.yml @@ -3,8 +3,7 @@ on: name: Secret Leaks -permissions: - contents: read +permissions: {} jobs: trufflehog: @@ -14,6 +13,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false + - name: Secret Scanning uses: trufflesecurity/trufflehog@main with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 58eca320..2d2d12e6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,3 +35,7 @@ repos: rev: v8.21.2 hooks: - id: gitleaks + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.3.1 + hooks: + - id: zizmor