Also have zizmor check for low-severity security issues (#14893)

## Summary This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to https://github.com/astral-sh/ruff/pull/14844. The issues being fixed here were all flagged by [zizmor's `template-injection` rule](https://woodruffw.github.io/zizmor/audits/#template-injection): > Detects potential sources of code injection via template expansion. > > GitHub Actions allows workflows to define template expansions, which occur within special `${{ ... }}` delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in. > > Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as `github.event.issue.title` (which the attacker can fully control by supplying a new issue title). [...] > To fully remediate the vulnerability, you should not use `${{ env.VARNAME }}`, since that is still a template expansion. Instead, you should use `${VARNAME}` to ensure that the shell itself performs the variable expansion. ## Test Plan I tested that this passes all zizmore warnings by running `pre-commit run -a zizmor` locally. The other test is obviously to check that the workflows all still run correctly in CI 😄
2024-12-12 07:43:17 +00:00
parent 5509a3d7ae
commit 033ecf5a4b
5 changed files with 24 additions and 37 deletions
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -87,9 +87,10 @@ jobs:
          outputs: type=image,name=${{ env.RUFF_BASE_IMG }},push-by-digest=true,name-canonical=true,push=${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}

      - name: Export digests
+        env:
+          digest: ${{ steps.build.outputs.digest }}
        run: |
          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"

      - name: Upload digests
@@ -143,7 +144,7 @@ jobs:
        run: |
          docker buildx imagetools create \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)

  docker-publish-extra:
    name: Publish additional Docker image based on ${{ matrix.image-mapping }}
@@ -182,7 +183,7 @@ jobs:
          # Generate Dockerfile content
          cat <<EOF > Dockerfile
          FROM ${BASE_IMAGE}
-          COPY --from=${{ env.RUFF_BASE_IMG }}:latest /ruff /usr/local/bin/ruff
+          COPY --from=${RUFF_BASE_IMG}:latest /ruff /usr/local/bin/ruff
          ENTRYPOINT []
          CMD ["/usr/local/bin/ruff"]
          EOF
@@ -288,4 +289,4 @@ jobs:
          docker buildx imagetools create \
            "${annotations[@]}" \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
+            $(printf '${RUFF_BASE_IMG}@sha256:%s ' *)