Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add zizmor for CI (security) linting #2288

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add zizmor for CI (security) linting #2288

wants to merge 3 commits into from

Conversation

githubnemo
Copy link
Collaborator

To add a bit of a safety net to our CI jobs it might make sense to add a CI security linting tool such as zizmor.

The linting run should be green at the moment since I fixed all reported issues:

  • setting persist-credentials: false in all checkout runs
  • changing template substitutions to environment variable substitutions

I added an ignore rule for dangerous-triggers to ignore the upload_pr_to_documentation workflow as our actions are configured to only run such steps on approval which should already have seen at least maintainer eyes and the zizmor run.

nemo added 2 commits December 17, 2024 16:36
Fix all issues reported by zizmor
55873f3 
These were all minor in the context of things but can be easily fixed,
therefore they should.

All template substitutions are now indirected by using environment
variables. All checkouts are using `persist-credentials: false`.
Add new zizmor workflow
6398b8c 
Just to have a bit of a safety net regarding CI configs.
If it is getting bothersome we can remove it again :)
@HuggingFaceDocBuilderDev
Copy link

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

BenjaminBossan
BenjaminBossan reviewed Dec 17, 2024
View reviewed changes
Copy link
Member

@BenjaminBossan BenjaminBossan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for improving the security of the PEFT workflows.

changing template substitutions to environment variable substitutions

Could you explain why this is more secure?

persist-credentials: false

Just to clarify, this is not a security issue on the repo as we're currently not using ssh, this is just a precaution, as that right?

Edit: For context, we wanted to harden the repo after the ultralytics hack.

.github/workflows/zizmor.yaml

on:
push:
branches: ["main"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about only executing this workflow if anything was changed inside of .github using the path argument? Or could we be missing something that way?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, added accordingly.

.github/zizmor.yml
dangerous-triggers:
ignore:
# this workflow is only triggered after maintainer approval
- upload_pr_documentation.yml:3:1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not beautiful but I don't know if there is anything else that we can do here.

Copy link
Collaborator Author

@githubnemo githubnemo Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The zizmor documentatin recommends switching to the workflow_call trigger which has the security benefit of not passing environment variables from one workflow to the other - they're more isolated.

FWIW it seems to be the better scheme for this workflow anyway but I'm not sure if there are unforeseen consequences.

@githubnemo
Copy link
Collaborator Author

githubnemo commented Dec 17, 2024
edited
Loading

changing template substitutions to environment variable substitutions

Could you explain why this is more secure?

Sure. With env: FOO=${{ foo }} we're separating code and data. Environment variables are just a place to store strings and no interpretation of the contents is happening. You'd have to force an interpretation using eval $FOO or something similar.

Contrast this to the behavior before: run: echo "something ${{ foo }}" - here we're modifying the code directly with whatever the content of ${{ foo }} is - there is no conversion to a shell string, there is no separation of code and data and therefore there is no way for the shell to know what is right or wrong.

This is, of course, assuming that github action is not implementing the env statement as

export FOO=${{ foo }}

but rather as something like environ['FOO'] = str(vars('foo')) :)

persist-credentials: false

Just to clarify, this is not a security issue on the repo as we're currently not using ssh, this is just a precaution, as that right?

Yes, this is just to make the linter happy and avoid accidents should we ever (for whatever reason) use manual triggers using SSH.

@githubnemo
Copy link
Collaborator Author

@McPatate might be interested in this too, perhaps?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenjaminBossan BenjaminBossan BenjaminBossan left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@githubnemo @HuggingFaceDocBuilderDev @BenjaminBossan