Also have zizmor check for low-severity security issues (#14893)

## Summary This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to https://github.com/astral-sh/ruff/pull/14844. The issues being fixed here were all flagged by [zizmor's `template-injection` rule](https://woodruffw.github.io/zizmor/audits/#template-injection): > Detects potential sources of code injection via template expansion. > > GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in. > > Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title). [...] > To fully remediate the vulnerability, you should not use `${{ env.VARNAME }}`, since that is still a template expansion. Instead, you should use `${VARNAME}` to ensure that the shell itself performs the variable expansion. ## Test Plan I tested that this passes all zizmore warnings by running `pre-commit run -a zizmor` locally. The other test is obviously to check that the workflows all still run correctly in CI 😄
2025-08-03 18:28:56 +00:00 · 2024-12-12 07:43:17 +00:00 · 2024-12-12 07:43:17 +00:00 · 033ecf5a4b
commit 033ecf5a4b
parent 5509a3d7ae
5 changed files with 24 additions and 37 deletions
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -53,9 +53,9 @@ jobs:
          args: --out dist
      - name: "Test sdist"
        run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.tar.gz --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          pip install dist/${PACKAGE_NAME}-*.tar.gz --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
      - name: "Upload sdist"
        uses: actions/upload-artifact@v4
        with:
@ -125,7 +125,7 @@ jobs:
          args: --release --locked --out dist
      - name: "Test wheel - aarch64"
        run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
+          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
          ruff --help
          python -m ruff --help
      - name: "Upload wheels"
@ -186,9 +186,9 @@ jobs:
        if: ${{ !startsWith(matrix.platform.target, 'aarch64') }}
        shell: bash
        run: |
-          python -m pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          python -m pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
      - name: "Upload wheels"
        uses: actions/upload-artifact@v4
        with:
@ -236,9 +236,9 @@ jobs:
      - name: "Test wheel"
        if: ${{ startsWith(matrix.target, 'x86_64') }}
        run: |
-          pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
-          ${{ env.MODULE_NAME }} --help
-          python -m ${{ env.MODULE_NAME }} --help
+          pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
+          "${MODULE_NAME}" --help
+          python -m "${MODULE_NAME}" --help
      - name: "Upload wheels"
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@ -87,9 +87,10 @@ jobs:
          outputs: type=image,name=${{ env.RUFF_BASE_IMG }},push-by-digest=true,name-canonical=true,push=${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}

      - name: Export digests
+        env:
+          digest: ${{ steps.build.outputs.digest }}
        run: |
          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digests
@ -143,7 +144,7 @@ jobs:
        run: |
          docker buildx imagetools create \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)

  docker-publish-extra:
    name: Publish additional Docker image based on ${{ matrix.image-mapping }}
@ -182,7 +183,7 @@ jobs:
          # Generate Dockerfile content
          cat <<EOF > Dockerfile
          FROM ${BASE_IMAGE}
-          COPY --from=${{ env.RUFF_BASE_IMG }}:latest /ruff /usr/local/bin/ruff
+          COPY --from=${RUFF_BASE_IMG}:latest /ruff /usr/local/bin/ruff
          ENTRYPOINT []
          CMD ["/usr/local/bin/ruff"]
          EOF
@ -288,4 +289,4 @@ jobs:
          docker buildx imagetools create \
            "${annotations[@]}" \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@ -49,13 +49,11 @@ jobs:

      - name: "Set branch name"
        run: |
-          version="${{ env.version }}"
-          display_name="${{ env.display_name }}"
          timestamp="$(date +%s)"

          # create branch_display_name from display_name by replacing all
          # characters disallowed in git branch names with hyphens
-          branch_display_name="$(echo "$display_name" | tr -c '[:alnum:]._' '-' | tr -s '-')"
+          branch_display_name="$(echo "${display_name}" | tr -c '[:alnum:]._' '-' | tr -s '-')"

          echo "branch_name=update-docs-$branch_display_name-$timestamp" >> $GITHUB_ENV
          echo "timestamp=$timestamp" >> $GITHUB_ENV
@ -93,9 +91,7 @@ jobs:
        run: mkdocs build --strict -f mkdocs.public.yml

      - name: "Clone docs repo"
-        run: |
-          version="${{ env.version }}"
-          git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs
+        run: git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs

      - name: "Copy docs"
        run: rm -rf astral-docs/site/ruff && mkdir -p astral-docs/site && cp -r site/ruff astral-docs/site/
@ -103,12 +99,10 @@ jobs:
      - name: "Commit docs"
        working-directory: astral-docs
        run: |
-          branch_name="${{ env.branch_name }}"
-
          git config user.name "astral-docs-bot"
          git config user.email "176161322+astral-docs-bot@users.noreply.github.com"

-          git checkout -b $branch_name
+          git checkout -b "${branch_name}"
          git add site/ruff
          git commit -m "Update ruff documentation for $version"

@ -117,12 +111,8 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
        run: |
-          version="${{ env.version }}"
-          display_name="${{ env.display_name }}"
-          branch_name="${{ env.branch_name }}"
-
          # set the PR title
-          pull_request_title="Update ruff documentation for $display_name"
+          pull_request_title="Update ruff documentation for "${display_name}""

          # Delete any existing pull requests that are open for this version
          # by checking against pull_request_title because the new PR will
@ -131,12 +121,12 @@ jobs:
            xargs -I {} gh pr close {}

          # push the branch to GitHub
-          git push origin $branch_name
+          git push origin "${branch_name}"

          # create the PR
-          gh pr create --base main --head $branch_name \
+          gh pr create --base main --head "${branch_name}" \
            --title "$pull_request_title" \
-            --body "Automated documentation update for $display_name" \
+            --body "Automated documentation update for "${display_name}"" \
            --label "documentation"

      - name: "Merge Pull Request"
@ -145,9 +135,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
        run: |
-          branch_name="${{ env.branch_name }}"
-
          # auto-merge the PR if the build was triggered by a release. Manual builds should be reviewed by a human.
          # give the PR a few seconds to be created before trying to auto-merge it
          sleep 10
-          gh pr merge --squash $branch_name
+          gh pr merge --squash "${branch_name}"
--- a/.github/workflows/sync_typeshed.yaml
+++ b/.github/workflows/sync_typeshed.yaml
@ -31,7 +31,7 @@ jobs:
        with:
          repository: python/typeshed
          path: typeshed
-          persist-credentials: true
+          persist-credentials: false
      - name: Setup git
        run: |
          git config --global user.name typeshedbot
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -95,8 +95,6 @@ repos:
        # `release.yml` is autogenerated by `dist`; security issues need to be fixed there
        # (https://opensource.axo.dev/cargo-dist/)
        exclude: .github/workflows/release.yml
-        # We could consider enabling the low-severity warnings, but they're noisy
-        args: [--min-severity=medium]

  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.30.0