Lint Github Actions workflows with zizmor #3188
Conversation
|
I tested the pip-compile workflow with #3189 and https://github.com/ansible/ansible-documentation/actions/runs/18857876754/job/53809921493. It seems to have worked. |
| - session: "zizmor" | ||
| python-versions: "3.12" |
There was a problem hiding this comment.
We could potentially remove this in favor of the workflow added in #3141 and just keep the zizmor in the noxfile for contributors to run locally.
Although, I'm concerned that:
- The zizmor workflow in Add Zizmor Scanning on push/pull request #3141 doesn't make CI red even though there are failures.
- If we have to manage the zizmor version pinned in the zizmor workflow and the version used by the nox job, they may get out of sync, which could be confusing for developers, as they'll get different results when running locally vs. CI.
- I'm not sure how much the integration with Github Code Scanning is helpful to our community. Case in point, @x1101 spent time contributing the workflow (thank you!), but they can't even see the failures it reported. I personally think it's better to integrate zizmor with our existing nox setup but am happy to be convinced otherwise.
There was a problem hiding this comment.
The zizmor workflow not failing CI seems to be by design of the GHA author, keeping that data in the security section for action separate from success/failure of the CI itself.
As for not being able to find the reported issues, that was a "I needed to learn how to use the tools together". I was running the scans on one branch, and the scan was showing data from another, and I just missed how I could adjust that to see the results (all of that was happening in my own fork).
With all that being said, since a majority of the workflows for the project are setup using nox to make them portable between dev/CI environments, I can't think of any good objections to integrating it there. I initially went the GHA route because it appears to be the suggested method by the tool authors, with the intention of piping that data automatically into existing GH systems (which does work as intended, but doesn't sound like its exactly the use case we're targeting).
There was a problem hiding this comment.
@gotmax23 that workflow should be complementary as the nox session won't integrate with GH through SARIF. Just add another job separately.
@x1101 I believe that once merged, the issues would show up in PRs inline. But it's a good idea to have both invocation mechanisms in place. The reusable workflow is for the GH Code Scanning integration while nox is for local use. However, it's a good idea to still run that nox session in CI to ensure that it works in dev env.
There was a problem hiding this comment.
@gotmax23 FYI the code scanning results don't normally show up until the workflow reporting them is in devel. That might be the reason.
|
Test docs deploy to the staging deployment environment: https://github.com/ansible/ansible-documentation/actions/runs/18858431601 |
oraNod
left a comment
oraNod
left a comment
There was a problem hiding this comment.
Thanks for doing all this work @gotmax23 Honestly I do prefer the approach to using a nox session over a workflow because it's consistent with the pattern we've taken with tooling.
I also agree with point 3 and the integration with GitHub Code Scanning. I think this actually caused a bit of uncertainty when @x1101 started on #3141
On a related note I'd like to ask that we give attribution in a commit message somewhere if this PR is accepted over #3141. @x1101 put in a solid effort and ultimately led us to a change that is going to improve the toolchain.
|
I applied the feedback and added an |
|
The PR currently has a conflict. |
| labels: "${{ inputs.labels || 'no_backport,tooling' }}" | ||
| secrets: inherit | ||
| # Pass using inherit, as this seems to be the only possible way to access | ||
| # secrets defined in an enviornment when using nested workflows. |
There was a problem hiding this comment.
That workflow should declare an explicit secrets: section. Then, passing secrets will work. Just like inputs:.
There was a problem hiding this comment.
Right, but the secrets are part of the github-bot environment, and I don't think environment can be set in the calling workflow.
There was a problem hiding this comment.
Oh, so https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows#using-inputs-and-secrets-in-a-reusable-workflow implies that the environment should be set in the reusable workflow but doesn't explicitly talk about how that interacts with the secrets key (beyond the inability to pass them explicitly).
| default: "" | ||
| python-versions: | ||
| type: string | ||
| required: true |
There was a problem hiding this comment.
| required: true | |
| required: true | |
| secrets: | |
| BOT_APP_ID: | |
| description: An ID for the GitHub App to authenticate as. | |
| required: true | |
| BOT_APP_KEY: | |
| description: A private key for the GitHub App authentication. | |
| required: true |
This fixes issues identified by the zizmor linter which checks for Github Actions security best practicies. Summary of changes: - Remove possibilities for shell injection. These can all only be activated by workflow_dispatch input provided by people who already have access to the repository but still a good idea to tidy this up. Many of these occur in the build-package-docs actions. We should test everything to make sure nothing is broken by these changes. - Explicitly set permissions. This is not strictly required, because we already enforce a limited set of default permissions in the repo's GHA settings, but zizmor wants us to be explicit. - Use `persist-credentials: false` with the checkout action. Also, when rebasing this commit, I added back the manual `nox -s clone-core` step to keep the outputs separate.
- Adds lockfile - Adds nox session - Adds nox session to CI matrix
- Add default permissions to new workflows - Add cooldown to dependabot
We could configure dependabot to pin shared workflow commit SHA hashes, but for now, let's relax the unpinned-uses relax
See comment for more details.
Co-authored-by: Don Naro <dnaro@redhat.com>
| run: >- | ||
| nox -e make -- webdocs ${{ | ||
| env: | ||
| PACKAGE_VERSION: "${{ inputs.ansible-package-version }}" |
There was a problem hiding this comment.
@oraNod, do we need to also export VERSION like it was before in the Set the VERSION variable step? Is $VERSION used in the Makefile?
| PACKAGE_VERSION: "${{ inputs.ansible-package-version }}" | |
| PACKAGE_VERSION: "${{ inputs.ansible-package-version }}" | |
| VERSION: "${{ inputs.ansible-package-version }}" |
There was a problem hiding this comment.
Hi @gotmax23 ANSIBLE_VERSION gets passed to the Makefile but not VERSION.
I think VERSION is a relic from the Jenkins job that is used in a couple of places including the step to add a symlink on the web server: ln -s \$VERSION _build/latest. Maybe we needed it when we first started with the workflow but it should be fine to drop it as part of this PR.
I'm pretty sure I built this branch before I approved but will do it again now. Thanks, as always, for the thoughtful questions.
There was a problem hiding this comment.
Just did a run with this branch from the devel branch and see this in the logs: nox > make -C docs/docsite PYTHON=/home/runner/work/ansible-documentation/ansible-documentation/build-directory/.nox/make/bin/python webdocs ANSIBLE_VERSION= 'EXTRA_TAGS=-t redirects'
Everything in the tarball looks good too. I think we can safely remove the Set the VERSION variable step.
| labels: "${{ inputs.labels || 'no_backport,tooling' }}" | ||
| secrets: inherit | ||
| # Pass using inherit, as this seems to be the only possible way to access | ||
| # secrets defined in an enviornment when using nested workflows. |
There was a problem hiding this comment.
Right, but the secrets are part of the github-bot environment, and I don't think environment can be set in the calling workflow.
| run: echo "TX_ID=$(date +%s)" >> "${GITHUB_ENV}" | ||
|
|
||
| - name: Notify the DaWGs in Matrix | ||
| # FAIL_MESSAGE is trusted input so okay to inject here. |
There was a problem hiding this comment.
Why not still pass it through environment variables? That's usually the best way to pass things on. Also it will prevent future problems, for example if someone later adjusts the message so that it contains double quotes, backticks, ...
| curl -X PUT "${ROOM_URL}/${TX_ID}" \ | ||
| -H "Authorization: Bearer ${{ secrets.DOCS_BOT_TOKEN }}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d '{"msgtype": "m.text", "body": "${{ env.FAIL_MESSAGE }}"}' |
There was a problem hiding this comment.
| -d '{"msgtype": "m.text", "body": "${{ env.FAIL_MESSAGE }}"}' | |
| -d '{"msgtype": "m.text", "body": "'"${FAIL_MESSAGE}"'"}' |
There was a problem hiding this comment.
Honestly, I'd rather avoid the mixing shell and JSON quoting code smells entirely. What about something like this?
- name: Notify the DaWGs in Matrix
run: |
body=$(python3 -c '
import json
import os
import sys
json.dump({
"msgtype": "m.text",
"body": os.environ["FAIL_MESSAGE"],
}, sys.stdout)'
)
curl -X PUT "${ROOM_URL}/${TX_ID}" \
-H "Authorization: Bearer ${{ secrets.DOCS_BOT_TOKEN }}" \
-H "Content-Type: application/json" \
-d "${body}"
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
5 participants
Fixes: #2681
See commit messages for more details. I pushed this to the zizmor2 branch on the main repository, so we can test the updated workflows with workflow_dispatch.
Inspired-by: Lyle McKarns x1101@users.noreply.github.com