Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Booleans written as strings are not handled correctly #447

Closed
2 tasks done
frouioui opened this issue Jan 14, 2025 · 4 comments · Fixed by #448
Closed
2 tasks done

[BUG]: Booleans written as strings are not handled correctly #447

frouioui opened this issue Jan 14, 2025 · 4 comments · Fixed by #448
Labels
bug Something isn't working

Comments

@frouioui
Copy link

frouioui commented Jan 14, 2025
edited
Loading

Pre-submission checks

  • I am not filing a feature request. These should be filed via the feature request form instead.
  • I have looked through the open issues for a duplicate report.

Expected behavior

When I write a boolean value between quotes (e.g. 'false') I expect it to be treated as a boolean equal to false, and not a string containing false. Which is what yaml and GHA do.

I want to be able to write the following snippet in my workflow and have zizmor not issue any warning saying that persist-credentials should be set to false.

    - name: Check out code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: 'false'

Actual behavior

Right now zizmor emits a warning when using the snippet pasted above:

2025-01-14T23:01:19.684524Z  WARN zizmor: skipping impostor-commit: can't run without a GitHub API token
2025-01-14T23:01:19.684741Z  WARN zizmor: skipping ref-confusion: can't run without a GitHub API token
2025-01-14T23:01:19.684752Z  WARN zizmor: skipping known-vulnerable-actions: can't run without a GitHub API token
2025-01-14T23:01:19.714096Z  INFO audit: zizmor: 🌈 completed /aaaa/.github/workflows/create_release.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /aaaa/.github/workflows/create_release.yml:19:7
   |
19 |       - name: Check out code
   |  _______-
20 | |       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
21 | |       with:
22 | |         persist-credentials: 'false'
   | |____________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

2 findings (1 suppressed): 0 unknown, 0 informational, 0 low, 1 medium, 0 high

Despite the warning, the value is correctly set to false on GitHub Actions:
image

Reproduction steps

  1. Use the following step:

    steps:
- name: Check out code
  uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
  with:
    persist-credentials: 'false'

  2. Run zizmor on the yaml file and observe the warning.

Logs

No response

Additional context

No response
@frouioui frouioui added bug Something isn't working triage Issue is being triaged labels Jan 14, 2025
@woodruffw
Copy link
Owner

Thanks for the report @frouioui!

FWIW this is a GHA-ism, not a YAML-ism: true and 'true' are distinct types in YAML, but GHA considers them the same (this is a side effect of expression expansion always returning strings, AFAICT).

Regardless, this is indeed a bug in zizmor itself, since we should be doing what GHA does and not just what YAML does 🙂. I'll look into a fix now!

@frouioui
Copy link
Author

That's a good point, thanks for the clarification 🙇🏻

@woodruffw woodruffw removed the triage Issue is being triaged label Jan 14, 2025
woodruffw added a commit that referenced this issue Jan 14, 2025
@woodruffw
fix: artipacked: check for stringy bools
482fe81 
Fixes #447.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw mentioned this issue Jan 14, 2025
Merged
@woodruffw
Copy link
Owner

#448 should fix this!

@frouioui
Copy link
Author

Awesome, thanks for the quick turnaround!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: artipacked: check for stringy bools woodruffw/zizmor
2 participants
@woodruffw @frouioui