Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve GitHub Actions Security #1722

Merged
merged 12 commits into from
Dec 13, 2024
Merged

Conversation

bigbitbus
Copy link
Contributor

@bigbitbus bigbitbus commented Dec 9, 2024

Adding some improvements to GH workflows.

  1. Default permission restrictions
  2. Action version pinning
  3. Timeout limits
  4. Python dependency version pinning in scripts
  5. Adding basic CODEOWNERS
  6. More eror handling
  7. Concurrency controls (same action cannot be running in parallel)
  8. Refactor to use poetry for managing all installed packages

Description

We want to improve the GH workflows security.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

How has this change been tested, please provide a testcase or example of how you tested the change?

Testing in progress...this comment will be updated

Any specific deployment considerations

For example, documentation changes, usability, usage/costs, secrets, etc.

Docs

  • Docs updated? What were the changes:

1. Default permission restrictions
2. Action version pinning
3. Timeout limits
4. Python dependency version pinning in scripts
5. Adding basic CODEOWNERS
6. More eror handling
7. Concurrency controls (same action cannot be running in parallel)
@bigbitbus bigbitbus marked this pull request as draft December 9, 2024 12:30
Copy link
Contributor

@LinasKo LinasKo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: The comments mention CODEOWNERS, but I can't see it among the changes.

@bigbitbus bigbitbus requested a review from alexnorell December 9, 2024 14:20
.github/workflows/publish-dev-docs.yml Outdated Show resolved Hide resolved
.github/workflows/publish-test.yml Outdated Show resolved Hide resolved
.github/workflows/publish.yml Outdated Show resolved Hide resolved
.github/workflows/test-min.yml Outdated Show resolved Hide resolved
.github/workflows/test-doc.yml Outdated Show resolved Hide resolved
.github/workflows/test.yml Outdated Show resolved Hide resolved
.github/workflows/publish.yml Outdated Show resolved Hide resolved
.github/workflows/notebook-bot.yml Outdated Show resolved Hide resolved
.github/workflows/notebook-bot.yml Outdated Show resolved Hide resolved
@alexnorell alexnorell force-pushed the sec/improve-github-workflow-security branch from d0f09f7 to 3d62caf Compare December 11, 2024 19:10
@alexnorell alexnorell marked this pull request as ready for review December 11, 2024 19:22
@alexnorell alexnorell changed the title Improving github actions security Improve GitHub Actions Security Dec 11, 2024
@alexnorell alexnorell requested a review from LinasKo December 12, 2024 19:35
@alexnorell alexnorell dismissed LinasKo’s stale review December 12, 2024 22:10

Changes have been addressed

Copy link
Contributor

@LinasKo LinasKo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This covers all the points we discussed.

Thank you for the good work, @alexnorell, @bigbitbus!

@LinasKo LinasKo merged commit a983132 into develop Dec 13, 2024
41 checks passed
@alexnorell alexnorell deleted the sec/improve-github-workflow-security branch December 13, 2024 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants