kpumuk opened a new pull request, #3441: URL: https://github.com/apache/thrift/pull/3441
<!-- Explain the changes in the pull request below: --> zizmor is a static analysis tool for GitHub Actions. It can find and fix many common security issues in typical GitHub Actions CI/CD setups. See https://docs.zizmor.sh/ Our workflows had a few common themes, which were addressed: * Added Dependabot cooldowns. * Added persist-credentials: false to checkout steps flagged by artipacked. * Disabled Ruby release Bundler cache. * Pinned ASF allowlist action to a commit SHA. * Switched Rust publishing to crates.io trusted publishing with explicit id-token: write. `zizmor .` initially reported 63 findings, including 37 pre-existing suppressed findings and 26 active findings. This change addresses all active findings; the final `zizmor .` run reports no findings, with the same 37 suppressed findings still suppressed. ## Dependabot Cooldown Findings: - `.github/dependabot.yml`: `dependabot-cooldown` warned that the `github-actions`, `gradle` for `lib/java`, and `gradle` for `lib/kotlin` updaters had no cooldown. Remediation: - Added `cooldown.default-days: 7` to each updater so Dependabot waits before opening updates for freshly released dependencies. ## Checkout Credential Persistence Findings: - `artipacked` warned that checkout steps did not explicitly disable persisted GitHub credentials in `.github/workflows/build.yml`, `.github/workflows/cmake.yml`, `.github/workflows/msvc.yml`, `.github/workflows/pypi.yml`, `.github/workflows/release_rust.yml`, and `.github/workflows/sca.yml`. Remediation: - Added `with: persist-credentials: false` to affected `actions/checkout` steps that do not need to push back to the repository. ## Release Cache Poisoning Findings: - `.github/workflows/release_ruby.yml`: `cache-poisoning` warned that the Ruby release workflow restored Bundler cache state before publishing the gem. Remediation: - Disabled `bundler-cache` for the Ruby release job so publish-time artifacts are not built or released from restored CI cache state. ## Unpinned Action Reference Findings: - `.github/workflows/asf-allowlist-check.yml`: `unpinned-uses` warned that `apache/infrastructure-actions/allowlist-check@main` used a mutable branch reference. Remediation: - Pinned the allowlist check action to commit `8056239fafd626c8a4e2d6679506ba0d8e60f196`. ## Rust Release Permissions and Publishing Token Findings: - `.github/workflows/release_rust.yml`: `excessive-permissions` warned that the publish job used default permissions. - `.github/workflows/release_rust.yml`: `use-trusted-publishing` recommended replacing the long-lived `CARGO_REGISTRY_TOKEN` secret with trusted publishing. Remediation: - Added explicit job permissions: `contents: read` and `id-token: write`. - Replaced the long-lived crates.io secret flow with `rust-lang/crates-io-auth-action`, pinned to commit `bbd81622f20ce9e2dd9622e3218b975523e45bbe`, and passed the action's temporary token to `cargo publish`. <!-- We recommend you review the checklist/tips before submitting a pull request. --> - [ ] Did you create an [Apache Jira](https://issues.apache.org/jira/projects/THRIFT/issues/) ticket? ([Request account here](https://selfserve.apache.org/jira-account.html), not required for trivial changes) - [ ] If a ticket exists: Does your pull request title follow the pattern "THRIFT-NNNN: describe my issue"? - [x] Did you squash your changes to a single commit? (not required, but preferred) - [x] Did you do your best to avoid breaking changes? If one was needed, did you label the Jira ticket with "Breaking-Change"? - [ ] If your change does not involve any code, include `[skip ci]` anywhere in the commit message to free up build resources. <!-- The Contributing Guide at: https://github.com/apache/thrift/blob/master/CONTRIBUTING.md has more details and tips for committing properly. --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
