From 73822421d6e7d182e788489045869306b6e2c836 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Tr=C4=85tnowiecki?= Date: Thu, 28 May 2026 19:39:49 +0200 Subject: [PATCH 1/4] Hardening release github workflows --- .github/workflows/_build-release.yml | 26 ++++++++++++++------------ .github/workflows/build-dev.yml | 8 +++++++- .github/workflows/nightly.yml | 27 +++++++++++++++++++-------- .github/workflows/release.yml | 16 ++++++++++------ 4 files changed, 50 insertions(+), 27 deletions(-) diff --git a/.github/workflows/_build-release.yml b/.github/workflows/_build-release.yml index d7ff19d75..aca714b14 100644 --- a/.github/workflows/_build-release.yml +++ b/.github/workflows/_build-release.yml @@ -74,17 +74,18 @@ jobs: #- target: aarch64-pc-windows-msvc # os: windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.ref }} + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: target: ${{ matrix.target }} - name: Install cross if: matrix.cross - uses: taiki-e/install-action@cross + uses: taiki-e/install-action@acd64fff6a014853b02d944cbf71c278fba2034d # cross - name: Enable cross-compilation if: matrix.cross @@ -94,7 +95,7 @@ jobs: - name: Build run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} --workspace --exclude scarb-prove --exclude scarb-verify ${{ !inputs.include-cairols && '--exclude scarb-cairo-language-server' || ''}} --no-default-features ${{ inputs.include-lint && '--features scarb/scarb-lint' || ''}} - - uses: dtolnay/rust-toolchain@master + - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master if: inputs.include-stwo with: target: ${{ matrix.target }} @@ -102,7 +103,7 @@ jobs: - name: Install cross if: matrix.cross && inputs.include-stwo - uses: taiki-e/install-action@cross + uses: taiki-e/install-action@acd64fff6a014853b02d944cbf71c278fba2034d # cross - name: Enable cross-compilation if: matrix.cross && inputs.include-stwo @@ -113,7 +114,7 @@ jobs: if: inputs.include-stwo run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} -p scarb-prove -p scarb-verify - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: target: ${{ matrix.target }} @@ -124,7 +125,7 @@ jobs: TARGET: ${{ matrix.target }} - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-${{ matrix.target }} path: scarb-${{ inputs.scarb-tag }}-${{ matrix.target }}.* @@ -151,17 +152,18 @@ jobs: os: windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.ref }} + persist-credentials: false - - uses: dtolnay/rust-toolchain@stable + - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Build xtasks run: cargo build -p xtask - name: Download artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: build-${{ matrix.target }} path: target/verify @@ -179,7 +181,7 @@ jobs: needs: build steps: - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: artifacts-dl @@ -195,7 +197,7 @@ jobs: cat checksums.sha256 - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: checksums path: artifacts/checksums.* diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml index b2e8353fa..931432100 100644 --- a/.github/workflows/build-dev.yml +++ b/.github/workflows/build-dev.yml @@ -36,10 +36,16 @@ on: type: boolean default: true +permissions: {} + jobs: dev-build: uses: ./.github/workflows/nightly.yml - secrets: inherit + permissions: + contents: write + secrets: + SCARB_NIGHTLIES_CONTENTS_WRITE: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + SLACK_NIGHTLY_FAILURE_WEBHOOK_URL: ${{ secrets.SLACK_NIGHTLY_FAILURE_WEBHOOK_URL }} with: dry_run: ${{ inputs.dry_run }} upgrade-cairo: ${{ inputs.upgrade-cairo }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index ef8880310..59ba6778a 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -85,6 +85,8 @@ jobs: nightly_branch: ${{ steps.version.outputs.nightly_branch }} steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - name: Configure Git for committing @@ -200,11 +202,14 @@ jobs: - uses: actions/checkout@v6 with: ref: ${{ needs.prepare.outputs.nightly_branch }} + persist-credentials: false - name: Create source code archives run: | - git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip" HEAD - git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz" HEAD + git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip" HEAD + git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz" HEAD + env: + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} - name: Download artifacts uses: actions/download-artifact@v8 @@ -221,20 +226,21 @@ jobs: - name: Create GitHub release run: | gh release create \ - "${{ needs.prepare.outputs.nightly_tag }}" \ + "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ --repo software-mansion/scarb-nightlies \ ${{ !inputs.is_dev && '--latest' || '--latest=false' }} \ - --title "${{ needs.prepare.outputs.nightly_tag }}" \ + --title "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ --notes-file NIGHTLY_RELEASE_NOTES.md env: GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} - name: Upload release assets run: | for file in \ ./artifacts/* \ - "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip#Scarb source code (zip)" \ - "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz#Scarb source code (tar.gz)" + "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip#Scarb source code (zip)" \ + "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz#Scarb source code (tar.gz)" do # If there isn't # in name, it means that it is a build artifact # and we need to remove version tag from the name, so it can be @@ -251,12 +257,13 @@ jobs: fi gh release upload \ - "${{ needs.prepare.outputs.nightly_tag }}" \ + "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \ "$file" \ --repo software-mansion/scarb-nightlies done env: GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }} + NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }} cleanup: runs-on: ubuntu-latest @@ -264,9 +271,13 @@ jobs: needs: [ prepare, upload ] steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Delete nightly branch run: | - git push origin -d ${{ needs.prepare.outputs.nightly_branch }} + git push origin -d ${NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH} + env: + NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH: ${{ needs.prepare.outputs.nightly_branch }} notify_failed: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b243e0996..18fe10bac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,8 +5,7 @@ on: tags: - v[0-9]+.* -permissions: - contents: write +permissions: {} jobs: check: @@ -22,11 +21,15 @@ jobs: name: draft release runs-on: ubuntu-latest needs: [ check, release ] + permissions: + contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Download artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: artifacts-dl @@ -40,11 +43,12 @@ jobs: - name: Draft GitHub release run: | gh release create \ - '${{ github.ref_name }}' \ + "${RELEASE_TAG}" \ ./artifacts/* \ --draft \ - --title '${{ github.ref_name }}' \ + --title "${RELEASE_TAG}" \ --generate-notes \ --verify-tag env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RELEASE_TAG: ${{ github.ref_name }} From 667ce5094bf6edf72c6e0bfa82114f8628ed0ea6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Tr=C4=85tnowiecki?= Date: Thu, 28 May 2026 19:45:24 +0200 Subject: [PATCH 2/4] Add static analysis for release workflows --- .github/workflows/zizmor.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..bc344affb --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: Workflow Security Analysis + +on: + push: + branches: ["main"] + paths: [".github/workflows/**"] + pull_request: + paths: [".github/workflows/**"] + +permissions: {} + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 From af9479c8a51e721ae39780c30fbc7285cb9a784f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Tr=C4=85tnowiecki?= Date: Thu, 28 May 2026 20:16:09 +0200 Subject: [PATCH 3/4] Add required permissions --- .github/workflows/_build-release.yml | 8 ++++++-- .github/workflows/nightly.yml | 4 ---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_build-release.yml b/.github/workflows/_build-release.yml index aca714b14..ca52ce940 100644 --- a/.github/workflows/_build-release.yml +++ b/.github/workflows/_build-release.yml @@ -85,7 +85,9 @@ jobs: - name: Install cross if: matrix.cross - uses: taiki-e/install-action@acd64fff6a014853b02d944cbf71c278fba2034d # cross + uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4 + with: + tool: cross - name: Enable cross-compilation if: matrix.cross @@ -103,7 +105,9 @@ jobs: - name: Install cross if: matrix.cross && inputs.include-stwo - uses: taiki-e/install-action@acd64fff6a014853b02d944cbf71c278fba2034d # cross + uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4 + with: + tool: cross - name: Enable cross-compilation if: matrix.cross && inputs.include-stwo diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 59ba6778a..ca6b6ee4c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -85,8 +85,6 @@ jobs: nightly_branch: ${{ steps.version.outputs.nightly_branch }} steps: - uses: actions/checkout@v6 - with: - persist-credentials: false - uses: dtolnay/rust-toolchain@stable - name: Configure Git for committing @@ -271,8 +269,6 @@ jobs: needs: [ prepare, upload ] steps: - uses: actions/checkout@v6 - with: - persist-credentials: false - name: Delete nightly branch run: | git push origin -d ${NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH} From 46b4339bac8018da2da489d0ea8529f3f65bf3d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Tr=C4=85tnowiecki?= Date: Fri, 29 May 2026 16:40:20 +0200 Subject: [PATCH 4/4] Limit zizmor only to release workflows --- .github/workflows/zizmor.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index bc344affb..f7de7b0e0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -3,9 +3,15 @@ name: Workflow Security Analysis on: push: branches: ["main"] - paths: [".github/workflows/**"] + paths: + - ".github/workflows/_build_release.yml" + - ".github/workflows/nightly.yml" + - ".github/workflows/release.yml" pull_request: - paths: [".github/workflows/**"] + paths: + - ".github/workflows/_build_release.yml" + - ".github/workflows/nightly.yml" + - ".github/workflows/release.yml" permissions: {} @@ -22,3 +28,8 @@ jobs: persist-credentials: false - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + workspace: >- + .github/workflows/_build_release.yml + .github/workflows/nightly.yml + .github/workflows/release.yml