[Workflows] Improve GitHub Actions Security hardening #117787
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`zizmor`[^1] is a static analysis tool that identifies many common security problems in GitHub Actions workflows. Running it on this repository produces 138 findings: ``` ❯ zizmor . [result details omitted] 138 findings: 0 unknown, 56 informational, 0 low, 41 medium, 41 high ``` This workflow runs `zizmor` whenever any workflow is changed. The results will be available under the "Code Scanning" page in the "Security" tab of this repository. (Viewing this page may require sufficient access rights to this repo.) I've also fixed a few of the issues identified like the one below: ``` warning[artipacked]: credential persistence through GitHub Actions artifacts --> /Users/carlocab/github/llvm-project/.github/workflows/pr-subscriber.yml:16:9 | 16 | - name: Checkout Automation Script | _________- 17 | | uses: actions/checkout@v4 18 | | with: 19 | | sparse-checkout: llvm/utils/git/ 20 | | ref: main | |___________________- does not set persist-credentials: false ``` [^1]: https://github.com/woodruffw/zizmor
llvmbot
added
libc++
|
@llvm/pr-subscribers-github-workflow @llvm/pr-subscribers-libcxx Author: Carlo Cabrera (carlocab) Changes
Running it on this repository produces 138 findings: This workflow runs I've also fixed a few of the issues identified like the one below: Full diff: https://github.com/llvm/llvm-project/pull/117787.diff 27 Files Affected:
diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml
index 28fc7de2ee0654..39b674158e81bd 100644
--- a/.github/workflows/build-ci-container.yml
+++ b/.github/workflows/build-ci-container.yml
@@ -28,6 +28,7 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: .github/workflows/containers/github-action-ci/
- name: Change podman Root Direcotry
run: |
@@ -67,6 +68,7 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: .github/workflows/containers/github-action-ci/
- name: Change podman Root Direcotry
diff --git a/.github/workflows/ci-post-commit-analyzer.yml b/.github/workflows/ci-post-commit-analyzer.yml
index d614dd07b3a493..abf8f3a033accc 100644
--- a/.github/workflows/ci-post-commit-analyzer.yml
+++ b/.github/workflows/ci-post-commit-analyzer.yml
@@ -42,6 +42,8 @@ jobs:
steps:
- name: Checkout Source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
- name: Setup ccache
uses: hendrikmuhs/ccache-action@v1
diff --git a/.github/workflows/commit-access-review.yml b/.github/workflows/commit-access-review.yml
index f9195a1863deec..79d7624a7633d9 100644
--- a/.github/workflows/commit-access-review.yml
+++ b/.github/workflows/commit-access-review.yml
@@ -16,6 +16,8 @@ jobs:
steps:
- name: Fetch LLVM sources
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Install dependencies
run: |
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 800e9291573533..3e4b4d9b3965e6 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -62,6 +62,7 @@ jobs:
if: ${{ github.event_name == 'push' }}
uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 1
- name: Get subprojects that have doc changes
id: docs-changed-subprojects
@@ -98,6 +99,7 @@ jobs:
if: ${{ github.event_name == 'pull_request' }}
uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 1
- name: Setup Python env
uses: actions/setup-python@v5
diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml
index 8f32d020975f5d..7459024cc071e8 100644
--- a/.github/workflows/email-check.yaml
+++ b/.github/workflows/email-check.yaml
@@ -16,6 +16,7 @@ jobs:
- name: Fetch LLVM sources
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: Extract author email
diff --git a/.github/workflows/issue-subscriber.yml b/.github/workflows/issue-subscriber.yml
index ef4fdf44181938..9eda3f7d00e608 100644
--- a/.github/workflows/issue-subscriber.yml
+++ b/.github/workflows/issue-subscriber.yml
@@ -16,6 +16,7 @@ jobs:
- name: Checkout Automation Script
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index 5334157a7fd204..8fc47e6a4dd53f 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -27,6 +27,7 @@ jobs:
- name: Fetch Sources
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: |
.github/workflows/unprivileged-download-artifact/action.yml
sparse-checkout-cone-mode: false
diff --git a/.github/workflows/libclang-abi-tests.yml b/.github/workflows/libclang-abi-tests.yml
index 9e839ff49e2835..26049e4958c866 100644
--- a/.github/workflows/libclang-abi-tests.yml
+++ b/.github/workflows/libclang-abi-tests.yml
@@ -40,6 +40,7 @@ jobs:
- name: Checkout source
uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 250
- name: Get LLVM version
diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml
index cba8afbb54f0f0..a726273bf658f1 100644
--- a/.github/workflows/libcxx-build-and-test.yaml
+++ b/.github/workflows/libcxx-build-and-test.yaml
@@ -55,6 +55,8 @@ jobs:
cxx: 'g++-14'
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: ${{ matrix.config }}.${{ matrix.cxx }}
run: libcxx/utils/ci/run-buildbot ${{ matrix.config }}
env:
@@ -101,6 +103,8 @@ jobs:
cxx: 'clang++-18'
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: ${{ matrix.config }}
run: libcxx/utils/ci/run-buildbot ${{ matrix.config }}
env:
@@ -165,6 +169,8 @@ jobs:
container: ghcr.io/llvm/libcxx-linux-builder:0fd6f684b9c84c32d6cbfd9742402e788b2879f1
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: ${{ matrix.config }}
run: libcxx/utils/ci/run-buildbot ${{ matrix.config }}
env:
@@ -203,6 +209,8 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: 'latest'
@@ -243,6 +251,8 @@ jobs:
- { config: mingw-incomplete-sysroot, mingw: true }
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Install dependencies
run: |
choco install -y ninja
diff --git a/.github/workflows/libcxx-build-containers.yml b/.github/workflows/libcxx-build-containers.yml
index 2d040f712ce592..f36c3ce013b290 100644
--- a/.github/workflows/libcxx-build-containers.yml
+++ b/.github/workflows/libcxx-build-containers.yml
@@ -34,6 +34,8 @@ jobs:
steps:
- uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Build the Linux builder image
working-directory: libcxx/utils/ci
diff --git a/.github/workflows/libcxx-check-generated-files.yml b/.github/workflows/libcxx-check-generated-files.yml
index 570055624b2a8d..d99a96c0122091 100644
--- a/.github/workflows/libcxx-check-generated-files.yml
+++ b/.github/workflows/libcxx-check-generated-files.yml
@@ -13,6 +13,8 @@ jobs:
steps:
- name: Fetch LLVM sources
uses: actions/checkout@v4
+ with:
+ persist-credentials: false
- name: Install dependencies
uses: aminya/setup-cpp@v1
diff --git a/.github/workflows/llvm-project-tests.yml b/.github/workflows/llvm-project-tests.yml
index 95a3890c0d2dc7..0b87ef58d04a62 100644
--- a/.github/workflows/llvm-project-tests.yml
+++ b/.github/workflows/llvm-project-tests.yml
@@ -88,6 +88,7 @@ jobs:
# clean: false.
- uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 250
- name: Setup ccache
uses: hendrikmuhs/ccache-action@v1
diff --git a/.github/workflows/llvm-tests.yml b/.github/workflows/llvm-tests.yml
index 26e644229aaa26..5f3eed04f1c1b2 100644
--- a/.github/workflows/llvm-tests.yml
+++ b/.github/workflows/llvm-tests.yml
@@ -50,6 +50,7 @@ jobs:
- name: Checkout source
uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 250
- name: Get LLVM version
diff --git a/.github/workflows/merged-prs.yml b/.github/workflows/merged-prs.yml
index e29afd4097f9fb..957b423f44ff57 100644
--- a/.github/workflows/merged-prs.yml
+++ b/.github/workflows/merged-prs.yml
@@ -23,6 +23,7 @@ jobs:
- name: Checkout Automation Script
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index 88175d6f8d64d4..c23d51d481448c 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -37,6 +37,7 @@ jobs:
- name: Checkout Automation Script
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index f2bb37316d3a8b..3b1b542dbcb921 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -21,6 +21,7 @@ jobs:
- name: Fetch LLVM sources
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout through merge base
@@ -42,6 +43,7 @@ jobs:
- name: Fetch code formatting utils
uses: actions/checkout@v4
with:
+ persist-credentials: false
repository: ${{ github.repository }}
ref: ${{ github.base_ref }}
sparse-checkout: |
diff --git a/.github/workflows/pr-request-release-note.yml b/.github/workflows/pr-request-release-note.yml
index 2fa501dda16bb3..0330ca0929737a 100644
--- a/.github/workflows/pr-request-release-note.yml
+++ b/.github/workflows/pr-request-release-note.yml
@@ -21,6 +21,7 @@ jobs:
- name: Checkout Scripts
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
sparse-checkout: |
llvm/utils/git/requirements.txt
llvm/utils/git/github-automation.py
diff --git a/.github/workflows/pr-subscriber.yml b/.github/workflows/pr-subscriber.yml
index 272d3e2f9ef8a3..5708563bffd500 100644
--- a/.github/workflows/pr-subscriber.yml
+++ b/.github/workflows/pr-subscriber.yml
@@ -16,6 +16,7 @@ jobs:
- name: Checkout Automation Script
uses: actions/checkout@v4
with:
+ persist-credentials: false
sparse-checkout: llvm/utils/git/
ref: main
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
index 018c5d542f32eb..285704d617b89b 100644
--- a/.github/workflows/release-asset-audit.yml
+++ b/.github/workflows/release-asset-audit.yml
@@ -23,6 +23,8 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+ with:
+ persist-credentials: false
- name: "Run Audit Script"
env:
GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 1cde628d3f66c3..8f5765e17b884b 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -70,6 +70,8 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
- name: Install Dependencies
shell: bash
@@ -155,6 +157,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
@@ -176,6 +179,7 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
ref: ${{ needs.prepare.outputs.ref }}
- name: Copy main workflows
@@ -229,6 +233,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
@@ -263,6 +268,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
@@ -312,6 +318,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
@@ -362,6 +369,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
@@ -423,6 +431,7 @@ jobs:
- name: Checkout Release Scripts
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
sparse-checkout: |
llvm/utils/release/github-upload-release.py
llvm/utils/git/requirements.txt
@@ -475,6 +484,7 @@ jobs:
- name: Checkout Actions
uses: actions/checkout@v4
with:
+ persist-credentials: false
ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
sparse-checkout: |
.github/workflows/
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 922c5093f13579..2968f03d6d29b1 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -35,6 +35,8 @@ jobs:
steps:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
- name: Setup Python env
uses: actions/setup-python@v5
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index ea95e5bb12b2b8..3288d215c8398b 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -41,6 +41,8 @@ jobs:
steps:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
- name: Setup Python env
uses: actions/setup-python@v5
diff --git a/.github/workflows/release-lit.yml b/.github/workflows/release-lit.yml
index 9d6f3140e68830..7e3b30fcf17a22 100644
--- a/.github/workflows/release-lit.yml
+++ b/.github/workflows/release-lit.yml
@@ -30,6 +30,7 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
ref: "llvmorg-${{ inputs.release-version }}"
- name: Install dependencies
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index a6c86823f99df5..9e42b2291a4e20 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -73,6 +73,7 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
+ persist-credentials: false
ref: ${{ needs.inputs.outputs.ref }}
fetch-tags: true
- name: Install Dependencies
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 780dd0ff6325c9..d73c44c9b2fc2c 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -39,6 +39,8 @@ jobs:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+ with:
+ persist-credentials: false
- name: Create Release
env:
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
index 894e07d323ca92..adcb755b705a1a 100644
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@@ -19,6 +19,7 @@ jobs:
- name: Fetch LLVM sources
uses: actions/checkout@v4
with:
+ persist-credentials: false
fetch-depth: 0
- name: Install dependencies
diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml
new file mode 100644
index 00000000000000..04bee0dacfffe0
--- /dev/null
+++ b/.github/workflows/workflow-checks.yml
@@ -0,0 +1,37 @@
+name: GitHub Actions Workflow Checks
+
+on:
+ push:
+ paths: [".github/workflows/*.ya?ml"]
+ pull_request:
+ paths: [".github/workflows/*.ya?ml"]
+
+jobs:
+ zizmor:
+ name: Workflow Security Checks
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ with:
+ persist-credentials: false
+
+ - name: Add Homebrew to PATH
+ run: echo "/home/linuxbrew/.linuxbrew/bin" >>"${GITHUB_PATH}"
+
+ - name: Get zizmor
+ run: brew install zizmor
+
+ - name: Run zizmor
+ run: zizmor --format sarif . > results.sarif
+ env:
+ GH_TOKEN: ${{ github.token }}
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+ with:
+ sarif_file: results.sarif
+ category: zizmor
Footnotes |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Attaching persist-credentials to the vast majority of jobs probably does nothing to tangibly improve security as we typically limit GITHUB_TOKEN to the contents: read permission, which means it shouldn't have access to anything that isn't publicly accessible. Blanket adding it might not be the worst idea, but should be done in a separate patch. I don't think we have any actions running on PRs that have more than read permissions where we use the workflow definition from the PR.
Is this static analyzer widely used anywhere? It doesn't seem to be wildly popular at the moment, and so far it seems to have generated more noise than anything else.
This assumes that It seems to me that it's better security hygiene to be explicit about persisting credentials on disk, especially given that there are existing exploits in the wild for workflows that fail to set
Happy to split it out, but if we want to blanket-add it then there should be some automation that keeps it there (otherwise future workflow changes could easily omit it). Though if it's a good idea to blanket-add it, then it also seems to me that the results here aren't really noise.
It's a fairly new tool, but I expect it will be widely used eventually. The author was also one of the people behind integrating GitHub Actions artifact attestations with SigStore. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
zizmor1 is a static analysis tool that identifies many commonsecurity problems in GitHub Actions workflows.
Running it on this repository produces 138 findings:
This workflow runs
zizmorwhenever any workflow is changed. Theresults will be available under the "Code Scanning" page in the
"Security" tab of this repository. (Viewing this page may require
sufficient access rights to this repo.)
I've also fixed a few of the issues identified like the one below:
Footnotes
https://github.com/woodruffw/zizmor ↩