Skip to content

Add zizmor github actions security analysis workflow #1813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add zizmor github actions security analysis workflow #1813

wants to merge 1 commit into from

Conversation

notmandatory
Copy link
Member

@notmandatory notmandatory commented Jan 28, 2025
edited
Loading

Description

Added workflow to run zizmor github actions security analysis.

See: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions

Notes to the reviewers

I built this PR on top of #1778.

I pinned zizmor to version 1.6.0, and rust-cache to 2.7.8 (hash 9d47c6ad4b02e050fd481d890b2ea34778fd09d6).

Changelog notice

ci: add zizmor github actions security analysis workflow and fix possible vulnerabilities

Checklists

All Submissions:

  • I've signed all my commits
  • I followed the contribution guidelines
  • I ran cargo fmt and cargo clippy before committing

@notmandatory notmandatory requested review from ValuedMammal and removed request for ValuedMammal January 28, 2025 02:26
@notmandatory notmandatory self-assigned this Jan 28, 2025
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@notmandatory notmandatory added this to the 1.1.0 milestone Jan 28, 2025
@notmandatory notmandatory changed the title Ci/zizmor Add zizmor github actions security analysis workflow Jan 28, 2025
@notmandatory
Copy link
Member Author

Rebased on updated and merged #1778 ready to review and merge, zizmor finds no issues now.

oleonardolima
oleonardolima reviewed Jan 29, 2025
View reviewed changes
Copy link
Contributor

@oleonardolima oleonardolima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it looks good and it's a pretty good addition.

I left a minor comment and another one regarding my concerning on relying on another action for what it seems just python package management.

.github/workflows/zizmor.yml Outdated
contents: read
actions: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is a public repo, this could be removed ?

.github/workflows/zizmor.yml Outdated
Comment on lines 24 to 29
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v5

- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of having a zizmor job, however, I'm wondering if there's another simpler/safer way to run it, instead of bringing this new action (setup-uv) AFAICT just for the python package manager 🤔

@notmandatory notmandatory modified the milestones: 1.1.0, 1.2.0 Feb 4, 2025
@notmandatory
Copy link
Member Author

Took this out of the bdk_wallet 1.1 milestone since tagging the release tomorrow.

@notmandatory notmandatory modified the milestone: 1.2.0 Feb 21, 2025
@notmandatory notmandatory moved this from Needs Review to In Progress in BDK Wallet Mar 10, 2025
@ValuedMammal ValuedMammal modified the milestones: 1.2.0, 1.3.0 Apr 3, 2025
@notmandatory notmandatory added github_actions Pull requests that update GitHub Actions code and removed ci labels Apr 3, 2025
@notmandatory notmandatory mentioned this pull request Apr 3, 2025
Open
3 tasks
@notmandatory
Copy link
Member Author

Moved to bdk_wallet repo: bitcoindevkit/bdk_wallet#8

@github-project-automation github-project-automation bot moved this from In Progress to Done in BDK Wallet Apr 3, 2025
@notmandatory
Copy link
Member Author

Reopening since we need to audit CI actions for this repo too.

@notmandatory notmandatory reopened this Apr 23, 2025
@notmandatory notmandatory moved this to In Progress in BDK Chain Apr 23, 2025
@notmandatory
Copy link
Member Author

Pushed changes to match bitcoindevkit/bdk_wallet#8.

@notmandatory notmandatory force-pushed the ci/zizmor branch 2 times, most recently from 2ed16e8 to 0e048a1 Compare April 23, 2025 02:32
oleonardolima
oleonardolima approved these changes May 5, 2025
View reviewed changes
Copy link
Contributor

@oleonardolima oleonardolima left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 2a2f04c
AFAICT the conflicts are only happening as [email protected] was bumped recently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleonardolima oleonardolima oleonardolima approved these changes

Assignees

@notmandatory notmandatory

Labels
github_actions Pull requests that update GitHub Actions code
Projects
BDK Chain
Status: In Progress
Milestone
Wallet 2.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@notmandatory @oleonardolima @ValuedMammal