Lint our GitHub Actions workflows with zizmor

zizmor is a new tool to lint GitHub Actions workflows. For the most part our workflows are pretty low risk since we don't give it a bunch of credentials, but we can avoid issues in the future by locking them down now. The only issue that needed fixing was setting persist-credentials: false for actions/checkout, which we do everywhere except in the workflows that need to push. While zizmor is written in Rust, it is also shipped as a prebuilt binary via PyPI, so we can set it as a poetry dependency and run it as part of our normal lint CI. Refs <freedomofpress/securedrop-tooling#18>.
freedomofpress · Dec 20, 2024 · 2027441 · 2027441
1 parent 73fc073
commit 2027441
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - run: dnf install -y git make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make test-deps
@@ -27,6 +29,8 @@ jobs:
     steps:
       - run: dnf install -y git make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make build-deps
@@ -45,6 +49,8 @@ jobs:
     steps:
       - run: dnf install -y make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           make test-deps

diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - run: dnf install -y make git
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: make build-deps
       - name: Build RPM
@@ -56,6 +58,8 @@ jobs:
           path: "securedrop-yum-test"
           lfs: true
           token: ${{ secrets.PUSH_TOKEN }}
+          # We need to store credentials here
+          persist-credentials: true
       - name: Commit and push
         run: |
           git config --global user.email "[email protected]"

diff --git a/Makefile b/Makefile
@@ -210,7 +210,7 @@ venv: ## Provision a Python 3 virtualenv for development (ensure to also install
 check: lint test ## Runs linters and tests
 
 .PHONY: lint
-lint: check-ruff mypy rpmlint shellcheck ## Runs linters (ruff, mypy, rpmlint, and shellcheck)
+lint: check-ruff mypy rpmlint shellcheck zizmor ## Runs all linters
 
 .PHONY: test-launcher
 test-launcher: ## Runs launcher tests
@@ -238,6 +238,10 @@ rpmlint: ## Runs rpmlint on the spec file
 shellcheck: ## Runs shellcheck on all shell scripts
 	./scripts/shellcheck.sh
 
+.PHONY: zizmor
+zizmor: ## Lint GitHub Actions workflows
+	poetry run zizmor .
+
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" to parse lines for make targets.
 # 2. Check for second field matching, skip otherwise.

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -25,6 +25,7 @@ types-setuptools = "^75.6.0"
 ruff = "^0.8.3"
 python-debian = "^0.1.49"
 pysequoia = "^0.1.25"
+zizmor = "*"
 
 [tool.ruff]
 line-length = 100