Add pre-commit hook for Zizmor (#3861)

A static analysis tool for GitHub Actions. Docs at
https://woodruffw.github.io/zizmor/usage/#use-with-pre-commit

* Set persist-credentials: false with actions/checkout

Xref https://woodruffw.github.io/zizmor/audits/#artipacked

* Set permissions: {} for GitHub Actions workflows

Xref https://woodruffw.github.io/zizmor/audits/#excessive-permissions

* Fix potential sources of code injection via template expansion

Xref https://woodruffw.github.io/zizmor/audits/#template-injection

* Back to using Windows cmd, use %GMT_INSTALL_DIR%

---------

Co-authored-by: Dongdong Tian <[email protected]>

Author: weiji14

.github/workflows/benchmarks.yml

@@ -23,6 +23,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
@@ -38,6 +40,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get current week number of year
         id: date

.github/workflows/cache_data.yaml

@@ -25,6 +25,8 @@ on:
   schedule:
     - cron: '0 12 * * 0'
 
+permissions: {}
+
 jobs:
   gmt_cache:
     name: Cache GMT artifacts
@@ -40,6 +42,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       # Install Micromamba with conda-forge dependencies
       - name: Setup Micromamba

.github/workflows/check-links.yml

@@ -15,6 +15,8 @@ on:
   schedule:
     - cron: '0 12 * * 0'
 
+permissions: {}
+
 jobs:
   check_links:
     name: Check Links
@@ -26,12 +28,14 @@ jobs:
       uses: actions/[email protected]
       with:
         path: repository
+        persist-credentials: false
 
     - name: Checkout the documentation
       uses: actions/[email protected]
       with:
         ref: gh-pages
         path: documentation
+        persist-credentials: false
 
     - name: Link Checker
       id: lychee
@@ -72,7 +76,8 @@ jobs:
       if: env.lychee_exit_code != 0
       run: |
         cd repository/
-        title="Link Checker Report on ${{ steps.date.outputs.date }}"
+        title="Link Checker Report on ${CURRENT_DATE}"
         gh issue create --title "$title" --body-file /tmp/lychee-out.md
       env:
         GH_TOKEN: ${{ github.token }}
+        CURRENT_DATE: ${{ steps.date.outputs.date }}

.github/workflows/ci_docs.yml

@@ -43,6 +43,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   docs:
     name: ${{ matrix.os }}
@@ -73,6 +75,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get current week number of year
         id: date
@@ -159,10 +162,11 @@ jobs:
         if: github.event_name == 'push' && matrix.os == 'ubuntu-latest'
 
       - name: Upload the HTML ZIP archive and PDF as release assets
-        run: gh release upload ${{ github.ref_name }} doc/_build/pygmt-docs.zip doc/_build/pygmt-docs.pdf
+        run: gh release upload ${REF_NAME} doc/_build/pygmt-docs.zip doc/_build/pygmt-docs.pdf
         if: github.event_name == 'release' && matrix.os == 'ubuntu-latest'
         env:
           GH_TOKEN: ${{ github.token }}
+          REF_NAME: ${{ github.ref_name }}
 
       - name: Checkout the gh-pages branch
         uses: actions/[email protected]
@@ -172,6 +176,7 @@ jobs:
           path: deploy
           # Download the entire history
           fetch-depth: 0
+          persist-credentials: false
         if: (github.event_name == 'release' || github.event_name == 'push') && (matrix.os == 'ubuntu-latest')
 
       - name: Push the built HTML to gh-pages

.github/workflows/ci_doctests.yaml

@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   test:
     name: ${{ matrix.os }}
@@ -39,6 +41,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       # Install Micromamba with conda-forge dependencies
       - name: Setup Micromamba

.github/workflows/ci_tests.yaml

@@ -108,6 +108,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get current week number of year
         id: date

.github/workflows/ci_tests_dev.yaml

@@ -28,6 +28,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   test_gmt_dev:
     name: ${{ matrix.os }} - GMT ${{ matrix.gmt_git_ref }}
@@ -50,6 +52,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Get current week number of year
         id: date
@@ -96,6 +99,7 @@ jobs:
           repository: 'GenericMappingTools/gmt'
           ref: ${{ matrix.gmt_git_ref }}
           path: 'gmt'
+          persist-credentials: false
 
       # Build GMT from source on Linux/macOS, script is adapted from
       # https://github.com/GenericMappingTools/gmt/blob/6.5.0/ci/build-gmt.sh
@@ -105,7 +109,7 @@ jobs:
           mkdir build
           cd build
           cmake -G Ninja .. \
-            -DCMAKE_INSTALL_PREFIX=${{ env.GMT_INSTALL_DIR }} \
+            -DCMAKE_INSTALL_PREFIX=${GMT_INSTALL_DIR} \
             -DCMAKE_BUILD_TYPE=Release \
             -DGMT_ENABLE_OPENMP=TRUE \
             -DGMT_USE_THREADS=TRUE
@@ -125,7 +129,7 @@ jobs:
           cd build
           call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
           cmake -G Ninja .. ^
-            -DCMAKE_INSTALL_PREFIX=${{ env.GMT_INSTALL_DIR }} ^
+            -DCMAKE_INSTALL_PREFIX=%GMT_INSTALL_DIR% ^
             -DCMAKE_BUILD_TYPE=Release ^
             -DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^
             -DGMT_ENABLE_OPENMP=TRUE ^

.github/workflows/ci_tests_legacy.yaml

@@ -26,6 +26,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   test:
     name: ${{ matrix.os }} - GMT ${{ matrix.gmt_version }}
@@ -48,6 +50,7 @@ jobs:
         with:
           # fetch all history so that setuptools-scm works
           fetch-depth: 0
+          persist-credentials: false
 
       # Install Micromamba with conda-forge dependencies
       - name: Setup Micromamba

.github/workflows/dvc-diff.yml

@@ -14,6 +14,8 @@ on:
     paths:
       - 'pygmt/tests/baseline/*.png.dvc'
 
+permissions: {}
+
 jobs:
   dvc-diff:
     name: DVC image diff
@@ -25,6 +27,7 @@ jobs:
       with:
         # fetch all history so that dvc diff works
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup data version control (DVC)
       uses: iterative/[email protected]
@@ -53,6 +56,7 @@ jobs:
     - name: Generate the image diff report
       env:
         repo_token: ${{ github.token }}
+        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
@@ -94,7 +98,7 @@ jobs:
         echo -e "</details>\n" >> report.md
 
         # Mention git commit SHA in the report
-        echo -e "Report last updated at commit ${{ github.event.pull_request.head.sha }}" >> report.md
+        echo -e "Report last updated at commit ${PR_HEAD_SHA}" >> report.md
 
         # create/update PR comment
         cml comment update report.md

.github/workflows/format-command.yml

@@ -3,9 +3,13 @@
 # This workflow is triggered in a PR if the slash command `/format` is used.
 #
 name: format-command
+
 on:
   repository_dispatch:
     types: [format-command]
+
+permissions: {}
+
 jobs:
   format:
     runs-on: ubuntu-latest
@@ -23,6 +27,7 @@ jobs:
           token: ${{ steps.generate-token.outputs.token }}
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
           ref: ${{ github.event.client_payload.pull_request.head.ref }}
+          persist-credentials: false
 
       # Setup Python environment
       - uses: actions/[email protected]

.github/workflows/publish-to-pypi.yml

@@ -34,6 +34,8 @@ on:
   #  branches:
   #    - main
 
+permissions: {}
+
 jobs:
   build:
     name: Build distribution 📦

.github/workflows/release-baseline-images.yml

@@ -24,6 +24,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/[email protected]
+      with:
+        persist-credentials: false
 
     - name: Setup data version control (DVC)
       uses: iterative/[email protected]
@@ -39,6 +41,7 @@ jobs:
         shasum -a 256 baseline-images.zip
 
     - name: Upload baseline image as a release asset
-      run: gh release upload ${{ github.ref_name }} baseline-images.zip
+      run: gh release upload ${REF_NAME} baseline-images.zip
       env:
         GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}

.github/workflows/release-drafter.yml

@@ -11,6 +11,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest

.github/workflows/slash-command-dispatch.yml

@@ -3,11 +3,15 @@
 # Currently, only one slash command `format` is supported.
 #
 name: Slash Command Dispatch
+
 on:
   issue_comment:
     types: [created]
     # Add "edited" type for test purposes. Where possible, avoid using to prevent processing unnecessary events.
     # types: [created, edited]
+
+permissions: {}
+
 jobs:
   slashCommandDispatch:
     if: ${{ github.event.issue.pull_request }}

.github/workflows/style_checks.yaml

@@ -16,6 +16,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
+
 jobs:
   style_check:
     name: Style Checks
@@ -25,6 +27,8 @@ jobs:
       # Checkout current git repository
       - name: Checkout
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       # Setup Python
       - name: Set up Python

.github/workflows/type_checks.yml

@@ -25,6 +25,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+permissions: {}
+
 jobs:
   static_check:
     name: Static Type Check
@@ -34,6 +36,8 @@ jobs:
       # Checkout current git repository
       - name: Checkout
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       # Setup Python
       - name: Set up Python

.pre-commit-config.yaml

@@ -15,6 +15,11 @@ repos:
     - id: remove-crlf
     - id: chmod
       args: ['644']
+- repo: https://github.com/woodruffw/zizmor-pre-commit
+  rev: v1.5.1
+  hooks:
+  - id: zizmor
+
 
 # https://pre-commit.ci/#configuration
 ci: