Also have zizmor check for low-severity security issues (#14893)

AlexWaygood · web-flow · commit 033ecf5a4bce · 2024-12-12T07:43:17.000Z
## Summary This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to #14844. The issues being fixed here were all flagged by [zizmor's `template-injection` rule](https://woodruffw.github.io/zizmor/audits/#template-injection): > Detects potential sources of code injection via template expansion. > > GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in. > > Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title). [...] > To fully remediate the vulnerability, you should not use `${{ env.VARNAME }}`, since that is still a template expansion. Instead, you should use `${VARNAME}` to ensure that the shell itself performs the variable expansion. ## Test Plan I tested that this passes all zizmore warnings by running `pre-commit run -a zizmor` locally. The other test is obviously to check that the workflows all still run correctly in CI 😄
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -53,9 +53,9 @@ jobs:
           args: --out dist
       - name: "Test sdist"
         run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.tar.gz --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          pip install dist/${PACKAGE_NAME}-*.tar.gz --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
       - name: "Upload sdist"
         uses: actions/upload-artifact@v4
         with:
@@ -125,7 +125,7 @@ jobs:
           args: --release --locked --out dist
       - name: "Test wheel - aarch64"
         run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
+          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
           ruff --help
           python -m ruff --help
       - name: "Upload wheels"
@@ -186,9 +186,9 @@ jobs:
         if: ${{ !startsWith(matrix.platform.target, 'aarch64') }}
         shell: bash
         run: |
-          python -m pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          python -m pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
       - name: "Upload wheels"
         uses: actions/upload-artifact@v4
         with:
@@ -236,9 +236,9 @@ jobs:
       - name: "Test wheel"
         if: ${{ startsWith(matrix.target, 'x86_64') }}
         run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
       - name: "Upload wheels"
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -87,9 +87,10 @@ jobs:
           outputs: type=image,name=${{ env.RUFF_BASE_IMG }},push-by-digest=true,name-canonical=true,push=${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}
 
       - name: Export digests
+        env:
+          digest: ${{ steps.build.outputs.digest }}
         run: |
           mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digests
@@ -143,7 +144,7 @@ jobs:
         run: |
           docker buildx imagetools create \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)
 
   docker-publish-extra:
     name: Publish additional Docker image based on ${{ matrix.image-mapping }}
@@ -182,7 +183,7 @@ jobs:
           # Generate Dockerfile content
           cat <<EOF > Dockerfile
           FROM ${BASE_IMAGE}
-          COPY --from=${{ env.RUFF_BASE_IMG }}:latest /ruff /usr/local/bin/ruff
+          COPY --from=${RUFF_BASE_IMG}:latest /ruff /usr/local/bin/ruff
           ENTRYPOINT []
           CMD ["/usr/local/bin/ruff"]
           EOF
@@ -288,4 +289,4 @@ jobs:
           docker buildx imagetools create \
             "${annotations[@]}" \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -49,13 +49,11 @@ jobs:
 
       - name: "Set branch name"
         run: |
-          version="${{ env.version }}"
-          display_name="${{ env.display_name }}"
           timestamp="$(date +%s)"
 
           # create branch_display_name from display_name by replacing all
           # characters disallowed in git branch names with hyphens
-          branch_display_name="$(echo "$display_name" | tr -c '[:alnum:]._' '-' | tr -s '-')"
+          branch_display_name="$(echo "${display_name}" | tr -c '[:alnum:]._' '-' | tr -s '-')"
 
           echo "branch_name=update-docs-$branch_display_name-$timestamp" >> $GITHUB_ENV
           echo "timestamp=$timestamp" >> $GITHUB_ENV
@@ -93,22 +91,18 @@ jobs:
         run: mkdocs build --strict -f mkdocs.public.yml
 
       - name: "Clone docs repo"
-        run: |
-          version="${{ env.version }}"
-          git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs
+        run: git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs
 
       - name: "Copy docs"
         run: rm -rf astral-docs/site/ruff && mkdir -p astral-docs/site && cp -r site/ruff astral-docs/site/
 
       - name: "Commit docs"
         working-directory: astral-docs
         run: |
-          branch_name="${{ env.branch_name }}"
-
           git config user.name "astral-docs-bot"
           git config user.email "176161322+astral-docs-bot@users.noreply.github.com"
 
-          git checkout -b $branch_name
+          git checkout -b "${branch_name}"
           git add site/ruff
           git commit -m "Update ruff documentation for $version"
 
@@ -117,12 +111,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
         run: |
-          version="${{ env.version }}"
-          display_name="${{ env.display_name }}"
-          branch_name="${{ env.branch_name }}"
-
           # set the PR title
-          pull_request_title="Update ruff documentation for $display_name"
+          pull_request_title="Update ruff documentation for "${display_name}""
 
           # Delete any existing pull requests that are open for this version
           # by checking against pull_request_title because the new PR will
@@ -131,12 +121,12 @@ jobs:
             xargs -I {} gh pr close {}
 
           # push the branch to GitHub
-          git push origin $branch_name
+          git push origin "${branch_name}"
 
           # create the PR
-          gh pr create --base main --head $branch_name \
+          gh pr create --base main --head "${branch_name}" \
             --title "$pull_request_title" \
-            --body "Automated documentation update for $display_name" \
+            --body "Automated documentation update for "${display_name}"" \
             --label "documentation"
 
       - name: "Merge Pull Request"
@@ -145,9 +135,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
         run: |
-          branch_name="${{ env.branch_name }}"
-
           # auto-merge the PR if the build was triggered by a release. Manual builds should be reviewed by a human.
           # give the PR a few seconds to be created before trying to auto-merge it
           sleep 10
-          gh pr merge --squash $branch_name
+          gh pr merge --squash "${branch_name}"
diff --git a/.github/workflows/sync_typeshed.yaml b/.github/workflows/sync_typeshed.yaml
@@ -31,7 +31,7 @@ jobs:
         with:
           repository: python/typeshed
           path: typeshed
-          persist-credentials: true
+          persist-credentials: false
       - name: Setup git
         run: |
           git config --global user.name typeshedbot
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -95,8 +95,6 @@ repos:
         # `release.yml` is autogenerated by `dist`; security issues need to be fixed there
         # (https://opensource.axo.dev/cargo-dist/)
         exclude: .github/workflows/release.yml
-        # We could consider enabling the low-severity warnings, but they're noisy
-        args: [--min-severity=medium]
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.30.0
