Skip to content

use zizmor to lint github action workflows #11269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keewis merged 29 commits into from
Apr 5, 2026
Merged

use zizmor to lint github action workflows #11269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
135056c
add `zizmor` to the hooks
keewis Mar 29, 2026
b43ce8a
set the default permissions to minimum
keewis Mar 29, 2026
7508cac
don't persist credentials
keewis Mar 29, 2026
db80e00
pin `actions/checkout`
keewis Mar 29, 2026
f8fc5cd
pin `xarray-contrib/ci-trigger`
keewis Mar 29, 2026
2c3c235
pin `actions/upload-artifact`
keewis Mar 29, 2026
0da3452
pin `actions/download-artifact`
keewis Mar 29, 2026
7277523
pin `pypa/gh-action-pypi-publish`
keewis Mar 29, 2026
241e0e5
pin `actions/setup-python`
keewis Mar 29, 2026
74f4cf8
pin `prefix-dev/setup-pixi`
keewis Mar 29, 2026
53a67c8
pin `codecov/codecov-action`
keewis Mar 29, 2026
708296a
pin `scientific-python/issue-from-pytest-log-action`
keewis Mar 29, 2026
d7330f7
pin `mamba-org/setup-micromamba`
keewis Mar 29, 2026
d985643
pin `WyriHaximus/github-action-get-previous-tag`
keewis Mar 29, 2026
52c8586
pin `EnricoMi/publish-unit-test-result-action`
keewis Mar 29, 2026
11b2aa1
pin `actions/labeler`
keewis Mar 29, 2026
b602b1a
pin `actions/cache`
keewis Mar 29, 2026
e84ac0c
actions cooldown for dependabot
keewis Mar 29, 2026
a8a65c8
avoid potential template injections
keewis Mar 29, 2026
dbbf6da
broken condition
keewis Mar 29, 2026
c6f6604
ignore the `pull_request_target` warning
keewis Mar 29, 2026
dbbb667
ignore zizmor's dangerous-triggers warning for publish-test-results
keewis Mar 29, 2026
62db312
fetch the `codecov` token from a github environment
keewis Mar 29, 2026
8169e83
correct the pin for `setup-pixi`
keewis Mar 29, 2026
701eb5e
split the nightly wheels ci into build and publish jobs
keewis Mar 29, 2026
47ba6e1
remove the codecov env and ignore the zizmor warning instead
keewis Mar 29, 2026
3bf02bf
back to the codecov env, but disable deployments
keewis Mar 30, 2026
d3316e9
correct the pin for `actions/setup-python`
keewis Mar 31, 2026
23ada36
Merge branch 'main' into zizmor
VeckoTheGecko Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ updates:
schedule:
# Check for updates once a week
interval: "weekly"
cooldown:
default-days: 7
Comment on lines +8 to +9
Copy link
Copy Markdown
Contributor

@VeckoTheGecko VeckoTheGecko Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related: We should also have this for Pixi when prefix-dev/pixi#5786 gets merged and released

Copy link
Copy Markdown
Collaborator Author

@keewis keewis Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, we can do that, too. We'll have to be able to disable that for the nightly CI, though, otherwise the early warning system will be a week late.

Copy link
Copy Markdown
Contributor

@VeckoTheGecko VeckoTheGecko Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking 3 days would be good. I think its ok if our nightly env is a few days late?

Copy link
Copy Markdown
Collaborator Author

@keewis keewis Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess so. The hope for using a cooldown is that if there is an attack, waiting for 7 days will allow others with more knowledge to detect and report the problem. Obviously, if everybody is doing this you won't gain anything.

However, my superficial knowledge on this topic is at its limit here, it might be worth raising this kind of question in the scientific-python discord: there are more security-aware folks and the authors of the scientific-python-nightly-wheels action.

Copy link
Copy Markdown

@mihaimaruseac mihaimaruseac Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(drive-by comment from the Discord thread on this): I'm of the opinion that the latest nightly can be used in a very sandboxed, very scoped down job, just to test compatibility but with no acces to anything else. The container where that job runs is deleted after the job runs, so it cannot poison future runs of same or other workflows. Static analysis of the package to detect vulns, exploits, is possible, if wanted

groups:
actions:
patterns:
Expand Down
16 changes: 10 additions & 6 deletions .github/workflows/benchmarks-last-release.yml
View file
Open in desktop
Copy link
Copy Markdown
Contributor

@VeckoTheGecko VeckoTheGecko Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also enforce sha pinning on the repo level?

Copy link
Copy Markdown
Collaborator Author

@keewis keewis Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can try that after merging this PR

Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
- main
workflow_dispatch:

permissions: {}

jobs:
benchmark:
name: Linux
Expand All @@ -17,12 +19,13 @@ jobs:
steps:
# We need the full repo to avoid this issue
# https://github.com/actions/checkout/issues/23
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Set up conda environment
uses: mamba-org/setup-micromamba@v2
uses: mamba-org/setup-micromamba@d7c9bd84e824b79d2af72a2d4196c7f4300d3476 # v3.0.0
with:
micromamba-version: "1.5.10-0"
environment-file: ${{env.CONDA_ENV_FILE}}
Expand All @@ -34,7 +37,7 @@ jobs:
- name: "Get Previous tag"
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@v2"
uses: WyriHaximus/github-action-get-previous-tag@61819f33034117e6c686e6a31dba995a85afc9de # v2.0.0
# with:
# fallback: 1.0.0 # Optional fallback tag to use when no tag can be found

Expand All @@ -47,18 +50,19 @@ jobs:
OMP_NUM_THREADS: 1
ASV_FACTOR: 1.5
ASV_SKIP_SLOW: 1
GITHUB_TAG: ${{ steps.previoustag.outputs.tag }}
run: |
set -x
# ID this runner
asv machine --yes
echo "Baseline: ${{ steps.previoustag.outputs.tag }} "
echo "Baseline: $GITHUB_TAG"
echo "Contender: ${{ github.sha }}"
# Use mamba for env creation
# export CONDA_EXE=$(which mamba)
export CONDA_EXE=$(which conda)
# Run benchmarks for current commit against base
ASV_OPTIONS="--split --show-stderr --factor $ASV_FACTOR"
asv continuous $ASV_OPTIONS ${{ steps.previoustag.outputs.tag }} ${{ github.sha }} \
asv continuous $ASV_OPTIONS "$GITHUB_TAG" ${{ github.sha }} \
| sed "/Traceback \|failed$\|PERFORMANCE DECREASED/ s/^/::error::/" \
| tee benchmarks.log
# Report and export results for subsequent steps
Expand All @@ -73,7 +77,7 @@ jobs:
cp benchmarks/README_CI.md benchmarks.log .asv/results/
working-directory: ${{ env.ASV_DIR }}

- uses: actions/upload-artifact@v7
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: asv-benchmark-results-${{ runner.os }}
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/benchmarks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ on:
env:
PR_HEAD_LABEL: ${{ github.event.pull_request.head.label }}

permissions: {}

jobs:
benchmark:
if: ${{ contains( github.event.pull_request.labels.*.name, 'run-benchmark') && github.event_name == 'pull_request' || contains( github.event.pull_request.labels.*.name, 'topic-performance') && github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' }}
Expand All @@ -20,12 +22,13 @@ jobs:
steps:
# We need the full repo to avoid this issue
# https://github.com/actions/checkout/issues/23
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Set up conda environment
uses: mamba-org/setup-micromamba@v2
uses: mamba-org/setup-micromamba@d7c9bd84e824b79d2af72a2d4196c7f4300d3476 # v3.0.0
with:
micromamba-version: "1.5.10-0"
environment-file: ${{env.CONDA_ENV_FILE}}
Expand All @@ -47,11 +50,12 @@ jobs:
OMP_NUM_THREADS: 1
ASV_FACTOR: 1.5
ASV_SKIP_SLOW: 1
GITHUB_LABEL: ${{ github.event.pull_request.base.label }}
run: |
set -x
# ID this runner
asv machine --yes
echo "Baseline: ${{ github.event.pull_request.base.sha }} (${{ github.event.pull_request.base.label }})"
echo "Baseline: ${{ github.event.pull_request.base.sha }} ($GITHUB_LABEL)"
echo "Contender: ${GITHUB_SHA} ($PR_HEAD_LABEL)"
# Run benchmarks for current commit against base
ASV_OPTIONS="--split --show-stderr --factor $ASV_FACTOR"
Expand All @@ -70,7 +74,7 @@ jobs:
cp benchmarks/README_CI.md benchmarks.log .asv/results/
working-directory: ${{ env.ASV_DIR }}

- uses: actions/upload-artifact@v7
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
if: always()
with:
name: asv-benchmark-results-${{ runner.os }}
Expand Down
49 changes: 30 additions & 19 deletions .github/workflows/ci-additional.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ concurrency:
env:
FORCE_COLOR: 3

permissions: {}

jobs:
detect-ci-trigger:
name: detect ci trigger
Expand All @@ -26,10 +28,11 @@ jobs:
outputs:
triggered: ${{ steps.detect-trigger.outputs.trigger-found }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 2
- uses: xarray-contrib/ci-trigger@v1
persist-credentials: false
- uses: xarray-contrib/ci-trigger@10cd2bfec3484946a4058a421ddf9cfad101e715 # v1.2.1
id: detect-trigger
with:
keyword: "[skip-ci]"
Expand All @@ -44,10 +47,12 @@ jobs:
pixi-version: ${{ steps.pixi-lock.outputs.pixi-version }}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: Parcels-code/pixi-lock/create-and-cache@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
id: pixi-lock
- uses: actions/upload-artifact@v7
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: pixi-lock
path: pixi.lock
Expand All @@ -63,9 +68,10 @@ jobs:
env:
PIXI_ENV: "test-py313"
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false

- name: set environment variables
run: |
Expand All @@ -75,7 +81,7 @@ jobs:
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}
- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand Down Expand Up @@ -106,14 +112,15 @@ jobs:
PIXI_ENV: test-py313-with-typing

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false
- name: Restore cached pixi lockfile
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}
- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand All @@ -132,7 +139,7 @@ jobs:
pixi run -e ${{env.PIXI_ENV}} -- python -m mypy --install-types --non-interactive --cobertura-xml-report mypy_report

- name: Upload mypy coverage to Codecov
uses: codecov/codecov-action@v6.0.0
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
files: mypy_report/cobertura.xml
flags: mypy
Expand All @@ -151,14 +158,15 @@ jobs:
PIXI_ENV: test-py311-with-typing

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false
- name: Restore cached pixi lockfile
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}
- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand All @@ -177,7 +185,7 @@ jobs:
pixi run -e ${{env.PIXI_ENV}} -- python -m mypy --install-types --non-interactive --cobertura-xml-report mypy_report

- name: Upload mypy coverage to Codecov
uses: codecov/codecov-action@v6.0.0
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
files: mypy_report/cobertura.xml
flags: mypy-min
Expand All @@ -199,15 +207,16 @@ jobs:
PIXI_ENV: test-py313-with-typing

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Restore cached pixi lockfile
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}
- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand Down Expand Up @@ -249,15 +258,16 @@ jobs:
shell: bash -l {0}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false

- name: Restore cached pixi lockfile
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}
- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand All @@ -276,7 +286,7 @@ jobs:
pixi run -e ${{ matrix.pixi-env }} -- python -m pyright xarray/

- name: Upload pyright coverage to Codecov
uses: codecov/codecov-action@v6.0.0
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with:
files: pyright_report/cobertura.xml
flags: pyright
Expand All @@ -297,16 +307,17 @@ jobs:
COLUMNS: 120

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # Fetch all history for all branches and tags.
persist-credentials: false

- name: Restore cached pixi lockfile
uses: Parcels-code/pixi-lock/restore@38495788b79a5ff26009aecc15daa9a8310b8832 # v0.1.0
with:
cache-key: ${{ needs.cache-pixi-lock.outputs.cache-key }}

- uses: prefix-dev/setup-pixi@v0.9.4
- uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
with:
pixi-version: ${{ needs.cache-pixi-lock.outputs.pixi-version }}
cache: true
Expand Down
Loading
Loading