Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: make ci safe using zizmor #13397

Merged
merged 1 commit into from
Feb 10, 2025
Merged

ci: make ci safe using zizmor #13397

merged 1 commit into from
Feb 10, 2025

Conversation

yihong0618
Copy link
Contributor

Summary

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

As more and more attackers using GitHub Actions to steal the token or attack other users such as Mining Scripts

this patch fix more of them

zizmor: https://woodruffw.github.io/zizmor/

more can check issue one-api or https://www.praetorian.com/blog/compromising-bytedances-rspack-github-actions-vulnerabilities/
we can use static check to avoid them as we can.

e.g.:

astral-sh/ruff#14844

same request for opendal apache/opendal#5502

Tip

Close issue syntax: Fixes #<issue number> or Resolves #<issue number>, see documentation for more details.

Screenshots

Before After
... ...

Checklist

Important

Please review the checklist below before submitting your pull request.

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran dev/reformat(backend) and cd web && npx lint-staged(frontend) to appease the lint gods

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. 🌊 feat:workflow Workflow related stuff. labels Feb 8, 2025
@crazywoola crazywoola requested a review from laipz8200 February 8, 2025 08:15
@laipz8200
Copy link
Member

laipz8200 commented Feb 8, 2025
edited
Loading

GitHub provides a public preview version of GitHub Actions scanning based on CodeQL, and we are using it. I will also evaluate Zizmor—thank you for your suggestion.

@yihong0618
Copy link
Contributor Author

GitHub provides a public preview version of GitHub Actions scanning based on CodeQL, and we are using it. I will also evaluate Zizmor—thank you for your suggestion.

yes as doc, zizmor is better for check not for ci.

laipz8200
laipz8200 approved these changes Feb 10, 2025
View reviewed changes
Copy link
Member

@laipz8200 laipz8200 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Feb 10, 2025
@laipz8200 laipz8200 merged commit 9f3fc7e into langgenius:main Feb 10, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laipz8200 laipz8200 laipz8200 approved these changes

Assignees
No one assigned
Labels
🌊 feat:workflow Workflow related stuff. lgtm This PR has been approved by a maintainer size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yihong0618 @laipz8200