lix-community/nix-security-tracker
0
0
Fork 0
Code Issues 94 Pull requests 9 Projects Releases Packages Wiki Activity

CI: add actionlint #539

Open
smelc wants to merge 5 commits from smelc/smelc/ci-add-actionlint into main
pull from: smelc/smelc/ci-add-actionlint
merge into: lix-community:main
Conversation 6 Commits 5 Files changed 2 +34 -1
smelc commented 2025-05-09 12:31:08 +00:00 (Migrated from github.com)
Copy link

Context

While working on plugging CodeQL in this repository, I noticed there was no check on the quality of workflow files, so I'm proposing to add one.

How to trust this PR

  • actionlint is a well-established checker
  • There was only one warning found by actionlint, which I fixed in the second commit: well done team 👏
  • I ran this pipeline manually on my fork, it looks like this (when only warning is not corrected: this run):

image

## Context While working on plugging CodeQL in this repository, I noticed there was no check on the quality of workflow files, so I'm proposing to add one. ## How to trust this PR * [actionlint](https://github.com/rhysd/actionlint) is a well-established checker * There was only one warning found by actionlint, which I fixed in the second commit: well done team 👏 * I ran this pipeline manually on my fork, it looks like this (when only warning is not corrected: [this run](https://github.com/smelc/nix-security-tracker/actions/runs/14882894784/job/41794975378)): ![image](https://github.com/user-attachments/assets/a2e98acf-970b-4014-933d-4388b4aa89eb)
❤️ 1
raboof (Migrated from github.com) reviewed 2025-05-09 12:31:08 +00:00
raboof (Migrated from github.com) reviewed 2025-05-09 14:44:06 +00:00
.github/workflows/actionlint.yaml
raboof (Migrated from github.com) commented 2025-05-09 14:37:43 +00:00
Copy link

I'm not sure I understand this comment - does that apply for this repo?

I'm not sure I understand this comment - does that apply for this repo?
.github/workflows/actionlint.yaml
@ -0,0 +5,4 @@
paths:
- ".github/workflows/**"
push:
branches: main
raboof (Migrated from github.com) commented 2025-05-09 14:37:17 +00:00
Copy link

should we restrict this to PRs that touch the workflows?

should we restrict this to PRs that touch the workflows?
.github/workflows/actionlint.yaml
@ -0,0 +27,4 @@
- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
shell: bash
raboof (Migrated from github.com) commented 2025-05-09 14:43:15 +00:00
Copy link

This basically runs arbitrary code from a 3rd-party repo. When triggered with 'push' or 'workflow_dispatch', I'm pretty sure a GitHub Action runs with access to privileges (the 'permissive' set in https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).

Could we lock down the token for this workflow? And disable persist-credentials for the checkout action above? (https://github.com/actions/checkout/)

This basically runs arbitrary code from a 3rd-party repo. When triggered with 'push' or 'workflow_dispatch', I'm pretty sure a GitHub Action runs with access to privileges (the 'permissive' set in https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). Could we lock down the token for this workflow? And disable `persist-credentials` for the checkout action above? (https://github.com/actions/checkout/)
smelc (Migrated from github.com) reviewed 2025-05-09 14:52:00 +00:00
.github/workflows/actionlint.yaml
smelc (Migrated from github.com) commented 2025-05-09 14:52:00 +00:00
Copy link

Indeed sorry, this is coming from another repo of mine. I removed the comment 👍

Indeed sorry, this is coming from another repo of mine. I removed the comment :+1:
smelc (Migrated from github.com) reviewed 2025-05-09 14:58:13 +00:00
.github/workflows/actionlint.yaml
@ -0,0 +5,4 @@
paths:
- ".github/workflows/**"
push:
branches: main
smelc (Migrated from github.com) commented 2025-05-09 14:58:13 +00:00
Copy link

That makes sense 👍

Done that using a path filter in the additional commit ci: run actionlint only when .github/workflows/** changes.

@raboof> please make sure to check that the workflow indeed runs on this PR when you approve them.

That makes sense :+1: Done that using a [path filter](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore) in the additional commit `ci: run actionlint only when .github/workflows/** changes`. @raboof> please make sure to check that the workflow indeed runs on this PR when you approve them.
smelc (Migrated from github.com) reviewed 2025-05-09 15:15:29 +00:00
.github/workflows/actionlint.yaml
@ -0,0 +27,4 @@
- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
shell: bash
smelc (Migrated from github.com) commented 2025-05-09 15:15:29 +00:00
Copy link

@raboof> set persist-credentials to false (thanks, didn't know about this one) and restricted GITHUB_TOKEN's rights to the minimum 👍 See the last two commits.

@raboof> set `persist-credentials` to false (thanks, didn't know about this one) and restricted `GITHUB_TOKEN`'s rights to the minimum :+1: See the last two commits.
Erethon (Migrated from github.com) reviewed 2025-05-09 15:54:18 +00:00
.github/workflows/actionlint.yaml
@ -0,0 +27,4 @@
- name: Download actionlint
id: get_actionlint
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
shell: bash
Erethon (Migrated from github.com) commented 2025-05-09 15:54:18 +00:00
Copy link

@raboof> set persist-credentials to false (thanks, didn't know about this one) and restricted GITHUB_TOKEN's rights to the minimum 👍 See the last two commits.

You might be interested in https://github.com/woodruffw/zizmor that catches this. If you want an example of how it's already used in nixos/infra, b464b1d870/.github/workflows/zizmor.yml

> @raboof> set `persist-credentials` to false (thanks, didn't know about this one) and restricted `GITHUB_TOKEN`'s rights to the minimum 👍 See the last two commits. You might be interested in https://github.com/woodruffw/zizmor that catches this. If you want an example of how it's already used in nixos/infra, https://github.com/NixOS/infra/blob/b464b1d87008ce8b61838a7d6ae55fa9b2cd5f11/.github/workflows/zizmor.yml
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin smelc/smelc/ci-add-actionlint:smelc/smelc/ci-add-actionlint
git switch smelc/smelc/ci-add-actionlint

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff smelc/smelc/ci-add-actionlint
git switch smelc/smelc/ci-add-actionlint
git rebase main
git switch main
git merge --ff-only smelc/smelc/ci-add-actionlint
git switch smelc/smelc/ci-add-actionlint
git rebase main
git switch main
git merge --no-ff smelc/smelc/ci-add-actionlint
git switch main
git merge --squash smelc/smelc/ci-add-actionlint
git switch main
git merge --ff-only smelc/smelc/ci-add-actionlint
git switch main
git merge smelc/smelc/ci-add-actionlint
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
raboof
Labels
Clear labels   
automation

   
backend

something the web server needs to provide the frontend with

  
bug

Something isn't working

  
contributor experience

   
data

something about quality or quantity of ingested data

  
deployment

   
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
nice to have

Nice to have, but not necessary for the time being

  
notifications

   
package maintainer

user story for package maintainers

  
performance

   
skin

Anything related to the visual presentation

  
tech debt

Activities that reduce tech debt

  
user story

description or implementation of a workflow

No labels
automation
backend
bug
contributor experience
data
deployment
documentation
duplicate
good first issue
help wanted
nice to have
notifications
package maintainer
performance
skin
tech debt
user story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-community/nix-security-tracker#539
No description provided.
Delete branch "smelc/smelc/ci-add-actionlint"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?