From bd640edb245207b2d05dd8bc9527eded94670058 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= Date: Tue, 24 Mar 2026 15:35:15 -0700 Subject: [PATCH] Add zizmor pre-commit hook and fix security issues Add zizmor pre-commit hook to catch GitHub Actions security issues. Fix all existing findings: - template-injection: Move GitHub context to env vars - secrets-outside-env: Add environment declarations - dangerous-triggers: Replace pull_request_target with pull_request - bot-conditions: Use pull_request.user.login instead of github.actor - excessive-permissions: Move permissions to job level - superfluous-actions: Replace with native tools --- .github/dependabot.yaml | 4 +++ .github/workflows/auto-merge.yaml | 9 +++-- .github/workflows/check.yaml | 60 ++++++++++++++++++------------- .github/workflows/release.yaml | 30 ++++++++++------ .pre-commit-config.yaml | 4 +++ 5 files changed, 71 insertions(+), 36 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 2a0e5ae..aab0f76 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -5,8 +5,12 @@ updates: target-branch: "main" schedule: interval: "daily" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" target-branch: "main" schedule: interval: "daily" + cooldown: + default-days: 7 diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml index 55daa67..535d033 100644 --- a/.github/workflows/auto-merge.yaml +++ b/.github/workflows/auto-merge.yaml @@ -1,6 +1,6 @@ name: Auto-merge on: - pull_request_target: + pull_request: types: [opened, synchronize, reopened] permissions: {} @@ -9,7 +9,12 @@ jobs: auto-merge: name: ๐Ÿค Auto-merge runs-on: ubuntu-latest - if: github.actor == 'gaborbernat' || github.actor == 'dependabot[bot]' || github.actor == 'pre-commit-ci[bot]' || github.actor == 'github-actions[bot]' + environment: auto-merge + if: >- + github.event.pull_request.user.login == 'gaborbernat' || + github.event.pull_request.user.login == 'dependabot[bot]' || + github.event.pull_request.user.login == 'pre-commit-ci[bot]' || + github.event.pull_request.user.login == 'github-actions[bot]' steps: - name: ๐Ÿ”€ Enable auto-merge run: gh pr merge --auto --squash "$PR_URL" diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index e376a88..a0d7ebf 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -17,19 +17,21 @@ jobs: runs-on: ubuntu-latest steps: - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: ๐Ÿ”จ Build plugin run: ./gradlew --console=plain buildPlugin - name: ๐Ÿ“ Prepare artifact @@ -40,7 +42,7 @@ jobs: unzip "$FILENAME" -d content echo "filename=${FILENAME:0:-4}" >> $GITHUB_OUTPUT - name: ๐Ÿ“ค Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: ${{ steps.artifact.outputs.filename }} path: ./build/distributions/content/*/* @@ -54,7 +56,7 @@ jobs: ide: ${{ github.event_name == 'pull_request' && fromJson('["PC"]') || fromJson('["PC", "PY"]') }} steps: - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false @@ -63,24 +65,28 @@ jobs: haskell: true docker-images: true - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: ๐Ÿ’พ Cache verifier IDEs - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ~/.pluginVerifier/ides key: plugin-verifier-ides-${{ matrix.ide }}-${{ hashFiles('gradle.properties') }} - name: โœ… Run verification - run: ./gradlew verifyPlugin -PverifyIde=${{ matrix.ide }} + run: ./gradlew verifyPlugin -PverifyIde=${MATRIX_IDE} + env: + MATRIX_IDE: ${{ matrix.ide }} - name: ๐Ÿ“ค Upload results if: ${{ always() }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: pluginVerifier-result-${{ matrix.ide }} path: ${{ github.workspace }}/build/reports/pluginVerifier @@ -90,19 +96,21 @@ jobs: runs-on: ubuntu-latest steps: - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: ๐Ÿ” Run linter run: ./gradlew ktlintCheck @@ -111,19 +119,21 @@ jobs: runs-on: ubuntu-latest steps: - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: โœ… Run tests with coverage run: ./gradlew test koverVerify @@ -132,19 +142,21 @@ jobs: runs-on: ubuntu-latest steps: - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: ๐Ÿ–ฅ๏ธ Run UI tests run: | export DISPLAY=:99.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cbe0db1..f12337f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,35 +16,40 @@ jobs: url: https://plugins.jetbrains.com/plugin/20536-pyvenv-manage-2 steps: - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.release.tag_name }} + persist-credentials: false - name: ๐Ÿงน Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false large-packages: false - name: โ˜• Set up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: zulu java-version: 21 - name: ๐Ÿ˜ Set up Gradle - uses: gradle/actions/setup-gradle@v6 + uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6 - name: ๐Ÿท๏ธ Set version from tag id: version run: | - VERSION="${{ github.event.release.tag_name }}" + VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}" VERSION="${VERSION#v}" echo "version=$VERSION" >> $GITHUB_OUTPUT sed -i "s/^pluginVersion=.*/pluginVersion=$VERSION/" gradle.properties + env: + GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} - name: ๐Ÿ“ Update changelog if: ${{ github.event.release.body != '' }} run: | cat > /tmp/release-notes.txt << 'RELEASE_NOTES_EOF' - ${{ github.event.release.body }} + ${GITHUB_EVENT_RELEASE_BODY} RELEASE_NOTES_EOF ./gradlew patchChangelog --release-note="$(cat /tmp/release-notes.txt)" + env: + GITHUB_EVENT_RELEASE_BODY: ${{ github.event.release.body }} - name: ๐Ÿ“ค Publish to JetBrains Marketplace env: PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }} @@ -55,20 +60,25 @@ jobs: - name: ๐Ÿ“Ž Upload release artifact env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: gh release upload ${{ github.event.release.tag_name }} ./build/distributions/* + GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} + run: gh release upload ${GITHUB_EVENT_RELEASE_TAG_NAME} ./build/distributions/* - name: ๐Ÿ”ข Calculate next dev version id: next run: | - VERSION="${{ steps.version.outputs.version }}" + VERSION="${STEPS_VERSION_OUTPUTS_VERSION}" IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION" NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))-dev" echo "next_version=$NEXT_VERSION" >> $GITHUB_OUTPUT + env: + STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }} - name: ๐Ÿ“ Create post-release PR env: GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} + GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} + STEPS_NEXT_OUTPUTS_NEXT_VERSION: ${{ steps.next.outputs.next_version }} run: | - VERSION="${{ github.event.release.tag_name }}" - NEXT_VERSION="${{ steps.next.outputs.next_version }}" + VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}" + NEXT_VERSION="${STEPS_NEXT_OUTPUTS_NEXT_VERSION}" BRANCH="post-release-$VERSION" # Save patched changelog before switching branches diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 30e481d..8b32019 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,3 +16,7 @@ repos: additional_dependencies: - prettier@3.6.2 - "@prettier/plugin-xml@3.4.2" + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.23.1 + hooks: + - id: zizmor