Run `zizmor` over all GitHub Actions workflow files

[agriyakhetarpal]

https://github.com/woodruffw/zizmor is a static analysis tool for GitHub Actions that we should use to evaluate and improve the security of our repository.

Here's the documentation: https://woodruffw.github.io/zizmor/

• Run zizmor over all workflow files with the --pedantic option
• Address all issues raised by it
• Add it as a pre-commit hook

[JC230903]

Hi @agriyakhetarpal, I’d like to work on this issue!
I’ll start by running Zizmor on my local system to check the findings and understand the necessary fixes. Once I have a clearer picture, I’ll address the issues and look into integrating Zizmor as a pre-commit hook.

I’ll update here once I’ve analyzed the results. Let me know if there are any specific concerns I should keep in mind while working on this. Looking forward to contributing!

[agriyakhetarpal]

That sounds good to me, thanks! It's definitely useful to explore the tool locally and get an idea of what it's about. Looking forward to your results!

[JC230903]

Hi @agriyakhetarpal,

I’ve run Zizmor on all the GitHub workflow files and set up a pre-commit hook. i have found that the audit has identified several key issues:

• Run zizmor over all workflow files with the --pedantic option

• Address all issues raised by it

• Add it as a pre-commit hook

High Confidence:
Template Injection: Lack of input validation in run_benchmarks_over_history.yml.
Excessive Permissions: Some workflows use read-all permissions.

Medium Confidence:
Broad Permissions: Workflows are using overly general permissions.
Default Permissions: Permissions should be explicitly defined.
Low Confidence:
Credential Persistence: GitHub Actions artifacts may persist credentials.
Cache Poisoning: Docker builds are at risk of cache poisoning.

Main Causes:
Missing input validation.
Broad or undefined permissions.
Not setting persist-credentials: false in checkout actions.
Default permissions and improper caching in Docker.
let me know if you recommend any key areas for me to work on!

[agriyakhetarpal]

Thanks, @JC230903. I think it would be good to address all the issues noted at once and add the hook to pre-commit-config.yaml in the same PR. Please feel free to open a PR, and I can help out if you get stuck somewhere.

[JC230903]

@agriyakhetarpal

That sounds good—I’ll address all the issues and update pre-commit-config.yaml in the same PR. Before I start, do you have any specific recommendations or things I should keep in mind while making these changes?

I’ll open a PR soon and will reach out if I run into any issues.

[agriyakhetarpal]

Before I start, do you have any specific recommendations or things I should keep in mind while making these changes?

Not at the moment, thanks!

You may refer to scikit-image/scikit-image#7662 to see how other projects are doing it.

[kratman]

FYI: https://github.com/pybamm-team/PyBaMM/security/code-scanning

Dependabot already does a bunch of these checks

[agriyakhetarpal]

Yes, I'm aware, @kratman. The idea is that Dependabot doesn't run ahead of time and GitHub doesn't seem to consider this page to be prominent enough to surface it more often. Having a pre-commit hook solves this in some sort because it prevents improper workflows from being pushed.