From fe1e2ab61549d4dd5fea7a1600d519d2d911b803 Mon Sep 17 00:00:00 2001 From: Carlo Cabrera Date: Wed, 27 Nov 2024 04:11:28 +0800 Subject: [PATCH] [Workflows] Improve GitHub Actions Security hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `zizmor`[^1] is a static analysis tool that identifies many common security problems in GitHub Actions workflows. Running it on this repository produces 138 findings: ``` ❯ zizmor . [result details omitted] 138 findings: 0 unknown, 56 informational, 0 low, 41 medium, 41 high ``` This workflow runs `zizmor` whenever any workflow is changed. The results will be available under the "Code Scanning" page in the "Security" tab of this repository. (Viewing this page may require sufficient access rights to this repo.) I've also fixed a few of the issues identified like the one below: ``` warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/carlocab/github/llvm-project/.github/workflows/pr-subscriber.yml:16:9 | 16 | - name: Checkout Automation Script | _________- 17 | | uses: actions/checkout@v4 18 | | with: 19 | | sparse-checkout: llvm/utils/git/ 20 | | ref: main | |___________________- does not set persist-credentials: false ``` [^1]: https://github.com/woodruffw/zizmor --- .github/workflows/build-ci-container.yml | 2 + .github/workflows/ci-post-commit-analyzer.yml | 2 + .github/workflows/commit-access-review.yml | 2 + .github/workflows/docs.yml | 2 + .github/workflows/email-check.yaml | 1 + .github/workflows/issue-subscriber.yml | 1 + .github/workflows/issue-write.yml | 1 + .github/workflows/libclang-abi-tests.yml | 1 + .github/workflows/libcxx-build-and-test.yaml | 10 +++++ .github/workflows/libcxx-build-containers.yml | 2 + .../libcxx-check-generated-files.yml | 2 + .github/workflows/llvm-project-tests.yml | 1 + .github/workflows/llvm-tests.yml | 1 + .github/workflows/merged-prs.yml | 1 + .github/workflows/new-prs.yml | 1 + .github/workflows/pr-code-format.yml | 2 + .github/workflows/pr-request-release-note.yml | 1 + .github/workflows/pr-subscriber.yml | 1 + .github/workflows/release-asset-audit.yml | 2 + .github/workflows/release-binaries.yml | 10 +++++ .github/workflows/release-documentation.yml | 2 + .github/workflows/release-doxygen.yml | 2 + .github/workflows/release-lit.yml | 1 + .github/workflows/release-sources.yml | 1 + .github/workflows/release-tasks.yml | 2 + .github/workflows/version-check.yml | 1 + .github/workflows/workflow-checks.yml | 37 +++++++++++++++++++ 27 files changed, 92 insertions(+) create mode 100644 .github/workflows/workflow-checks.yml diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml index 28fc7de2ee065..39b674158e81b 100644 --- a/.github/workflows/build-ci-container.yml +++ b/.github/workflows/build-ci-container.yml @@ -28,6 +28,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: .github/workflows/containers/github-action-ci/ - name: Change podman Root Direcotry run: | @@ -67,6 +68,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: .github/workflows/containers/github-action-ci/ - name: Change podman Root Direcotry diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml index d614dd07b3a49..abf8f3a033acc 100644 --- a/.github/workflows/ci-post-commit-analyzer.yml +++ b/.github/workflows/ci-post-commit-analyzer.yml @@ -42,6 +42,8 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup ccache uses: hendrikmuhs/ccache-action@v1 diff --git a/.github/workflows/commit-access-review.yml b/.github/workflows/commit-access-review.yml index f9195a1863dee..79d7624a7633d 100644 --- a/.github/workflows/commit-access-review.yml +++ b/.github/workflows/commit-access-review.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Fetch LLVM sources uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 800e929157353..3e4b4d9b3965e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -62,6 +62,7 @@ jobs: if: ${{ github.event_name == 'push' }} uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 1 - name: Get subprojects that have doc changes id: docs-changed-subprojects @@ -98,6 +99,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 1 - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml index 8f32d020975f5..7459024cc071e 100644 --- a/.github/workflows/email-check.yaml +++ b/.github/workflows/email-check.yaml @@ -16,6 +16,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Extract author email diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml index ef4fdf4418193..9eda3f7d00e60 100644 --- a/.github/workflows/issue-subscriber.yml +++ b/.github/workflows/issue-subscriber.yml @@ -16,6 +16,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml index 5334157a7fd20..8fc47e6a4dd53 100644 --- a/.github/workflows/issue-write.yml +++ b/.github/workflows/issue-write.yml @@ -27,6 +27,7 @@ jobs: - name: Fetch Sources uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: | .github/workflows/unprivileged-download-artifact/action.yml sparse-checkout-cone-mode: false diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml index 9e839ff49e283..26049e4958c86 100644 --- a/.github/workflows/libclang-abi-tests.yml +++ b/.github/workflows/libclang-abi-tests.yml @@ -40,6 +40,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Get LLVM version diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml index cba8afbb54f0f..a726273bf658f 100644 --- a/.github/workflows/libcxx-build-and-test.yaml +++ b/.github/workflows/libcxx-build-and-test.yaml @@ -55,6 +55,8 @@ jobs: cxx: 'g++-14' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }}.${{ matrix.cxx }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -101,6 +103,8 @@ jobs: cxx: 'clang++-18' steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -165,6 +169,8 @@ jobs: container: ghcr.io/llvm/libcxx-linux-builder:0fd6f684b9c84c32d6cbfd9742402e788b2879f1 steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: ${{ matrix.config }} run: libcxx/utils/ci/run-buildbot ${{ matrix.config }} env: @@ -203,6 +209,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: maxim-lobanov/setup-xcode@v1 with: xcode-version: 'latest' @@ -243,6 +251,8 @@ jobs: - { config: mingw-incomplete-sysroot, mingw: true } steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | choco install -y ninja diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml index 2d040f712ce59..f36c3ce013b29 100644 --- a/.github/workflows/libcxx-build-containers.yml +++ b/.github/workflows/libcxx-build-containers.yml @@ -34,6 +34,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Build the Linux builder image working-directory: libcxx/utils/ci diff --git a/.github/workflows/libcxx-check-generated-files.yml b/.github/workflows/libcxx-check-generated-files.yml index 570055624b2a8..d99a96c012209 100644 --- a/.github/workflows/libcxx-check-generated-files.yml +++ b/.github/workflows/libcxx-check-generated-files.yml @@ -13,6 +13,8 @@ jobs: steps: - name: Fetch LLVM sources uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies uses: aminya/setup-cpp@v1 diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml index 95a3890c0d2dc..0b87ef58d04a6 100644 --- a/.github/workflows/llvm-project-tests.yml +++ b/.github/workflows/llvm-project-tests.yml @@ -88,6 +88,7 @@ jobs: # clean: false. - uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Setup ccache uses: hendrikmuhs/ccache-action@v1 diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml index 26e644229aaa2..5f3eed04f1c1b 100644 --- a/.github/workflows/llvm-tests.yml +++ b/.github/workflows/llvm-tests.yml @@ -50,6 +50,7 @@ jobs: - name: Checkout source uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 250 - name: Get LLVM version diff --git a/.github/workflows/merged-prs.yml b/.github/workflows/merged-prs.yml index e29afd4097f9f..957b423f44ff5 100644 --- a/.github/workflows/merged-prs.yml +++ b/.github/workflows/merged-prs.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml index 88175d6f8d64d..c23d51d481448 100644 --- a/.github/workflows/new-prs.yml +++ b/.github/workflows/new-prs.yml @@ -37,6 +37,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml index f2bb37316d3a8..3b1b542dbcb92 100644 --- a/.github/workflows/pr-code-format.yml +++ b/.github/workflows/pr-code-format.yml @@ -21,6 +21,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Checkout through merge base @@ -42,6 +43,7 @@ jobs: - name: Fetch code formatting utils uses: actions/checkout@v4 with: + persist-credentials: false repository: ${{ github.repository }} ref: ${{ github.base_ref }} sparse-checkout: | diff --git a/.github/workflows/pr-request-release-note.yml b/.github/workflows/pr-request-release-note.yml index 2fa501dda16bb..0330ca0929737 100644 --- a/.github/workflows/pr-request-release-note.yml +++ b/.github/workflows/pr-request-release-note.yml @@ -21,6 +21,7 @@ jobs: - name: Checkout Scripts uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false sparse-checkout: | llvm/utils/git/requirements.txt llvm/utils/git/github-automation.py diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml index 272d3e2f9ef8a..5708563bffd50 100644 --- a/.github/workflows/pr-subscriber.yml +++ b/.github/workflows/pr-subscriber.yml @@ -16,6 +16,7 @@ jobs: - name: Checkout Automation Script uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: llvm/utils/git/ ref: main diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml index 018c5d542f32e..285704d617b89 100644 --- a/.github/workflows/release-asset-audit.yml +++ b/.github/workflows/release-asset-audit.yml @@ -23,6 +23,8 @@ jobs: if: github.repository == 'llvm/llvm-project' steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 + with: + persist-credentials: false - name: "Run Audit Script" env: GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 1cde628d3f66c..8f5765e17b884 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -70,6 +70,8 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Install Dependencies shell: bash @@ -155,6 +157,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -176,6 +179,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ needs.prepare.outputs.ref }} - name: Copy main workflows @@ -229,6 +233,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -263,6 +268,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -312,6 +318,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -362,6 +369,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ @@ -423,6 +431,7 @@ jobs: - name: Checkout Release Scripts uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false sparse-checkout: | llvm/utils/release/github-upload-release.py llvm/utils/git/requirements.txt @@ -475,6 +484,7 @@ jobs: - name: Checkout Actions uses: actions/checkout@v4 with: + persist-credentials: false ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }} sparse-checkout: | .github/workflows/ diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml index 922c5093f1357..2968f03d6d29b 100644 --- a/.github/workflows/release-documentation.yml +++ b/.github/workflows/release-documentation.yml @@ -35,6 +35,8 @@ jobs: steps: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml index ea95e5bb12b2b..3288d215c8398 100644 --- a/.github/workflows/release-doxygen.yml +++ b/.github/workflows/release-doxygen.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Setup Python env uses: actions/setup-python@v5 diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml index 9d6f3140e6883..7e3b30fcf17a2 100644 --- a/.github/workflows/release-lit.yml +++ b/.github/workflows/release-lit.yml @@ -30,6 +30,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: "llvmorg-${{ inputs.release-version }}" - name: Install dependencies diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml index a6c86823f99df..9e42b2291a4e2 100644 --- a/.github/workflows/release-sources.yml +++ b/.github/workflows/release-sources.yml @@ -73,6 +73,7 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: + persist-credentials: false ref: ${{ needs.inputs.outputs.ref }} fetch-tags: true - name: Install Dependencies diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index 780dd0ff6325c..d73c44c9b2fc2 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -39,6 +39,8 @@ jobs: - name: Checkout LLVM uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Create Release env: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 894e07d323ca9..adcb755b705a1 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -19,6 +19,7 @@ jobs: - name: Fetch LLVM sources uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: Install dependencies diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml new file mode 100644 index 0000000000000..04bee0dacfffe --- /dev/null +++ b/.github/workflows/workflow-checks.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Workflow Checks + +on: + push: + paths: [".github/workflows/*.ya?ml"] + pull_request: + paths: [".github/workflows/*.ya?ml"] + +jobs: + zizmor: + name: Workflow Security Checks + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Add Homebrew to PATH + run: echo "/home/linuxbrew/.linuxbrew/bin" >>"${GITHUB_PATH}" + + - name: Get zizmor + run: brew install zizmor + + - name: Run zizmor + run: zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ github.token }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + with: + sarif_file: results.sarif + category: zizmor