build(security): harden GitHub Actions workflows#2336
Conversation
- Add zizmor CI workflow for static security analysis
- Set top-level permissions: {} on all workflows, per-job grants with comments
- Add persist-credentials: false to all checkout steps
- Add concurrency limits to pr-labeler and reset-safe-for-build-label
- Add job names to all anonymous jobs
- Replace softprops/action-gh-release with gh release create
- Switch to PyPI trusted publishing (OIDC), remove static credentials
- Remove RELEASE_PAT_TOKEN usage, use GITHUB_TOKEN instead
- Add environment scoping (ci, release) for secret access
- Set 7-day dependency update cooldown (Dependabot + Renovate)
- Add .github/CREDENTIALS.md documenting secrets and environments
Made-with: Cursor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security and maintainability of the project's GitHub Actions workflows. It transitions critical operations like PyPI publishing and git pushes to more secure, credential-less methods, introduces static security analysis for workflows, and standardizes dependency update policies. The changes aim to reduce attack surface, improve compliance, and provide clearer documentation for CI/CD configurations. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security posture and maintainability of the project's GitHub Actions workflows. It transitions credential management to more secure methods like OIDC and Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.gh.umua.top/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new CREDENTIALS.md file to document GitHub Actions secrets, environments, and PyPI trusted publishing. It also configures a 7-day dependency update cooldown for both Dependabot and Renovate, and adds an empty zizmor.yml file. A review comment suggests improving consistency in the CREDENTIALS.md file by changing the 'CI' environment name to lowercase 'ci'.
.github/CREDENTIALS.md
Outdated
|
|
||
| | Environment | Purpose | Used by | | ||
| |---|---|---| | ||
| | `CI` | Integration/functional tests | `integration-tests.yml` | |
There was a problem hiding this comment.
For consistency with other environment names (release, github-pages, main, test) which are lowercase, consider changing CI to ci. This improves readability and adheres to a consistent naming convention within the documentation.
| | `CI` | Integration/functional tests | `integration-tests.yml` | | |
| | `ci` | Integration/functional tests | `integration-tests.yml` | |
There was a problem hiding this comment.
Code Review
This pull request introduces a new CREDENTIALS.md file documenting secrets and environments, configures a 7-day dependency update cooldown for Dependabot and Renovate, and adds a zizmor.yml file for static security analysis. The review points out a potential case sensitivity inconsistency for the CI environment name in CREDENTIALS.md and raises a concern about the effectiveness of the empty rules: {} block in zizmor.yml for security analysis.
.github/CREDENTIALS.md
Outdated
|
|
||
| | Environment | Purpose | Used by | | ||
| |---|---|---| | ||
| | `CI` | Integration/functional tests | `integration-tests.yml` | |
There was a problem hiding this comment.
The environment name CI is capitalized here, but the pull request description mentions ci (lowercase) for integration tests. GitHub Actions environment names are case-sensitive. Please ensure consistency between the documentation and the actual environment name configured in GitHub to avoid confusion or potential misconfigurations.
| @@ -0,0 +1 @@ | |||
| rules: {} | |||
There was a problem hiding this comment.
The zizmor.yml file is added for static security analysis, but it contains an empty rules: {} block. If zizmor requires explicit rules to perform meaningful security analysis, this configuration might not be effectively contributing to the workflow hardening objective as described in the PR title. Please ensure that the necessary rules are defined or clarify if rules: {} is intended to use default analysis rules.
Made-with: Cursor
Made-with: Cursor
3 participants
Summary
permissions: {}, per-job grants with comments,persist-credentials: false, concurrency limits, job namesPIPY_USERNAME/PIPY_PASSWORDstatic credentialsRELEASE_PAT_TOKENdependency — useGITHUB_TOKENwith explicit remote URL for git pushsoftprops/action-gh-releasethird-party action withgh release createcifor integration tests,releasefor releases)default-days: 7+ RenovateminimumReleaseAge: "7 days").github/CREDENTIALS.mddocumenting all secrets, environments, and pending cleanupBefore merging
giskard-core,giskard-agents,giskard-checks(Owner:Giskard-AI, Repo:giskard-oss, Workflow:release.yml, Environment:release)ciandreleaseGitHub environments exist with the required secretsAfter merging
RELEASE_PAT_TOKENfrom org secretsPIPY_USERNAME/PIPY_PASSWORDafter confirming trusted publishing worksgithub-pages,main,test) for removalMade with Cursor