Skip to content

Commit 5e2ef57

Browse files
authored
GitHub Actions - security updates (#7138)
* Update GitHub actions and pin shas Signed-off-by: Phil Ewels <phil.ewels@seqera.io> * Don't persist credentials, avoid template-injection See https://docs.zizmor.sh/audits/\#template-injection Signed-off-by: Phil Ewels <phil.ewels@seqera.io> * Add least-privilege permissions blocks, fix template-injection in git config - Add explicit permissions blocks (workflow + job level, contents: read where possible) to build, cffconvert, docs, stale - stale job gets issues: write + pull-requests: write (only what actions/stale actually needs) - Move github.event.pusher.name/email out of the git config run script and into env vars to prevent shell injection via a malicious pusher Signed-off-by: Phil Ewels <phil.ewels@seqera.io> * Revert: leave credentials for build + publish, where they're needed Signed-off-by: Phil Ewels <phil.ewels@seqera.io> --------- Signed-off-by: Phil Ewels <phil.ewels@seqera.io>
1 parent c3ce1d0 commit 5e2ef57

5 files changed

Lines changed: 64 additions & 23 deletions

File tree

.github/workflows/build.yml

Lines changed: 35 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,15 @@ on:
1717
types: [opened, reopened, synchronize]
1818
workflow_dispatch:
1919

20+
permissions:
21+
contents: read
22+
2023
jobs:
2124
build:
2225
name: Build
2326
runs-on: ubuntu-latest
27+
permissions:
28+
contents: read
2429
timeout-minutes: 100
2530
strategy:
2631
fail-fast: false
@@ -29,10 +34,11 @@ jobs:
2934

3035
steps:
3136
- name: Checkout
32-
uses: actions/checkout@v4
37+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3338
with:
3439
fetch-depth: 1
3540
submodules: true
41+
persist-credentials: false
3642

3743
- name: Get the commit message
3844
id: get_commit_message
@@ -62,7 +68,7 @@ jobs:
6268
NXF_GITHUB_ACCESS_TOKEN: ${{ secrets.NXF_GITHUB_ACCESS_TOKEN }}
6369

6470
- name: Setup Java ${{ matrix.java_version }}
65-
uses: actions/setup-java@v4
71+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
6672
with:
6773
java-version: ${{matrix.java_version}}
6874
distribution: 'temurin'
@@ -99,7 +105,7 @@ jobs:
99105

100106
- name: Publish tests report
101107
if: always()
102-
uses: actions/upload-artifact@v4
108+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
103109
with:
104110
name: report-unit-tests-jdk-${{ matrix.java_version }}
105111
path: |
@@ -112,6 +118,8 @@ jobs:
112118
if: ${{ !contains(needs.build.outputs.commit_message, '[ci fast]') }}
113119
needs: build
114120
runs-on: ubuntu-latest
121+
permissions:
122+
contents: read
115123
timeout-minutes: 90
116124
strategy:
117125
fail-fast: false
@@ -120,10 +128,11 @@ jobs:
120128
test_mode: ["test_integration", "test_parser_v2", "test_docs", "test_aws", "test_azure", "test_google", "test_wave"]
121129
steps:
122130
- name: Checkout
123-
uses: actions/checkout@v4
131+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
124132
with:
125133
fetch-depth: 1
126134
submodules: true
135+
persist-credentials: false
127136

128137
- name: Setup env
129138
run: |
@@ -134,7 +143,7 @@ jobs:
134143
NXF_GITHUB_ACCESS_TOKEN: ${{ secrets.NXF_GITHUB_ACCESS_TOKEN }}
135144

136145
- name: Setup Java ${{ matrix.java_version }}
137-
uses: actions/setup-java@v4
146+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
138147
with:
139148
java-version: ${{matrix.java_version}}
140149
distribution: 'temurin'
@@ -177,7 +186,7 @@ jobs:
177186
tar -cvf validation-tests.tar.gz validation
178187
179188
- name: Publish tests report
180-
uses: actions/upload-artifact@v4
189+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
181190
if: always()
182191
with:
183192
name: report-${{ matrix.test_mode }}-jdk-${{ matrix.java_version }}
@@ -195,13 +204,14 @@ jobs:
195204
contents: write # Allow writing to repository contents
196205
steps:
197206
- name: Checkout
198-
uses: actions/checkout@v4
207+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
199208
with:
200209
fetch-depth: 1
201210
submodules: true
211+
persist-credentials: false
202212

203213
- name: Setup Java 17
204-
uses: actions/setup-java@v4
214+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
205215
with:
206216
java-version: 17
207217
distribution: 'temurin'
@@ -213,10 +223,12 @@ jobs:
213223
wget -q -O wave https://github.com/seqeralabs/wave-cli/releases/download/v1.4.1/wave-1.4.1-linux-x86_64
214224
chmod +x wave
215225
mv wave /usr/local/bin/
216-
echo "COMMIT_MESSAGE=\"${{ needs.build.outputs.commit_message }}\"" >> $GITHUB_ENV
226+
echo "COMMIT_MESSAGE=\"${NEEDS_BUILD_OUTPUTS_COMMIT_MESSAGE}\"" >> $GITHUB_ENV
227+
env:
228+
NEEDS_BUILD_OUTPUTS_COMMIT_MESSAGE: ${{ needs.build.outputs.commit_message }}
217229

218230
- name : Docker Login to Seqera public CR
219-
uses : docker/login-action@v3
231+
uses : docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
220232
with :
221233
registry : "public.cr.seqera.io"
222234
username : "public-cr-admin"
@@ -242,33 +254,40 @@ jobs:
242254
pull-requests: write
243255
issues: write
244256
steps:
257+
# Intentionally persists credentials: the `release` task in
258+
# packing.gradle runs `git push` and `git push origin vX.Y.Z` against
259+
# this repo; both rely on actions/checkout having written the token
260+
# into .git/config as http.extraheader.
245261
- name: Checkout
246-
uses: actions/checkout@v4
262+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked]
247263
with:
248264
fetch-depth: 0
249265
submodules: true
250266

251267
- name: Setup Java 17
252-
uses: actions/setup-java@v4
268+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
253269
with:
254270
java-version: 17
255271
distribution: 'temurin'
256272
architecture: x64
257273
cache: gradle
258274

259275
- name: Configure Git
276+
env:
277+
GIT_USER_NAME: ${{ github.event.pusher.name || github.actor }}
278+
GIT_USER_EMAIL: ${{ github.event.pusher.email || format('{0}@users.noreply.github.com', github.actor) }}
260279
run: |
261-
git config --global user.name "${{ github.event.pusher.name || github.actor }}"
262-
git config --global user.email "${{ github.event.pusher.email || format('{0}@users.noreply.github.com', github.actor) }}"
280+
git config --global user.name "$GIT_USER_NAME"
281+
git config --global user.email "$GIT_USER_EMAIL"
263282
264283
- name: Docker Login to Docker Hub
265-
uses: docker/login-action@v3
284+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
266285
with:
267286
username: ${{ vars.DOCKERHUB_USERNAME }}
268287
password: ${{ secrets.DOCKERHUB_TOKEN }}
269288

270289
- name: Docker Login to Seqera public CR
271-
uses: docker/login-action@v3
290+
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
272291
with:
273292
registry: "public.cr.seqera.io"
274293
username: ${{ vars.SEQERA_PUBLIC_CR_USERNAME }}

.github/workflows/cffconvert.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,22 @@ on:
55
paths:
66
- CITATION.cff
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
validate:
1013
name: "validate"
1114
runs-on: ubuntu-latest
15+
permissions:
16+
contents: read
1217
steps:
1318
- name: Check out a copy of the repository
14-
uses: actions/checkout@v4
19+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
with:
21+
persist-credentials: false
1522

1623
- name: Check whether the citation metadata from CITATION.cff is valid
17-
uses: citation-file-format/cffconvert-github-action@2.0.0
24+
uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084 # 2.0.0
1825
with:
1926
args: "--validate"

.github/workflows/claude.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,13 @@ jobs:
2525
id-token: write
2626
steps:
2727
- name: Checkout repository
28-
uses: actions/checkout@v4
28+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2929
with:
3030
fetch-depth: 1
31+
persist-credentials: false
3132

3233
- name: Run Claude PR Action
33-
uses: anthropics/claude-code-action@beta
34+
uses: anthropics/claude-code-action@f4fb5c6cdccc1ee7af63692f5d08d56efaa64cc8 # v1.0.121
3435
with:
3536
anthropic_api_key: ${{ secrets.NEXTFLOW_ANTHROPIC_API_KEY }}
3637
timeout_minutes: "60"

.github/workflows/docs.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,21 @@ on:
55
paths:
66
- 'docs/**'
77
workflow_dispatch:
8+
9+
permissions:
10+
contents: read
11+
812
jobs:
913
docs-build:
1014
name: Build
1115
runs-on: ubuntu-latest
16+
permissions:
17+
contents: read
1218
steps:
13-
- uses: actions/checkout@v4
14-
- uses: actions/setup-python@v4
19+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
with:
21+
persist-credentials: false
22+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
1523
with:
1624
python-version: '3.9.25'
1725

.github/workflows/stale.yml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,17 @@ on:
44
- cron: '30 1 * * *'
55
workflow_dispatch:
66

7+
permissions:
8+
contents: read
9+
710
jobs:
811
stale:
912
runs-on: ubuntu-latest
13+
permissions:
14+
issues: write
15+
pull-requests: write
1016
steps:
11-
- uses: actions/stale@v9
17+
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
1218
with:
1319
days-before-stale: 180
1420
days-before-close: -1

0 commit comments

Comments
 (0)