mirror
/
tiangolo.fastapi
mirror of https://github.com/tiangolo/fastapi
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

🔒️ Improve GitHub actions security (#15607)

pull/15628/head
Yurii Motov 1 week ago
committed by GitHub
parent
c9343d2cf0
commit
a3558be5f8
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
22 changed files with 85 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      .github/workflows/add-to-project.yml
  2. 7
      .github/workflows/build-docs.yml
  3. 2
      .github/workflows/contributors.yml
  4. 3
      .github/workflows/deploy-docs.yml
  5. 1
      .github/workflows/detect-conflicts.yml
  6. 1
      .github/workflows/guard-dependencies.yml
  7. 1
      .github/workflows/issue-manager.yml
  8. 3
      .github/workflows/label-approved.yml
  9. 2
      .github/workflows/labeler.yml
  10. 1
      .github/workflows/latest-changes.yml
  11. 3
      .github/workflows/notify-translations.yml
  12. 2
      .github/workflows/people.yml
  13. 4
      .github/workflows/pre-commit.yml
  14. 3
      .github/workflows/publish.yml
  15. 3
      .github/workflows/smokeshow.yml
  16. 3
      .github/workflows/sponsors.yml
  17. 2
      .github/workflows/test-redistribute.yml
  18. 11
      .github/workflows/test.yml
  19. 3
      .github/workflows/topic-repos.yml
  20. 4
      .github/workflows/translate.yml
  21. 24
      .github/workflows/zizmor.yml
  22. 2
      .pre-commit-config.yaml

1
.github/workflows/add-to-project.yml
View File

@ -13,6 +13,7 @@ jobs:
add-to-project: add-to-project:
name: Add to project name: Add to project
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0 - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
with: with:

7
.github/workflows/build-docs.yml
View File

@ -16,6 +16,7 @@ jobs:
# Required permissions # Required permissions
permissions: permissions:
pull-requests: read pull-requests: read
timeout-minutes: 5
# Set job outputs to values from filter step # Set job outputs to values from filter step
outputs: outputs:
docs: ${{ steps.filter.outputs.docs }} docs: ${{ steps.filter.outputs.docs }}
@ -42,6 +43,7 @@ jobs:
- changes - changes
if: ${{ needs.changes.outputs.docs == 'true' }} if: ${{ needs.changes.outputs.docs == 'true' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
outputs: outputs:
langs: ${{ steps.show-langs.outputs.langs }} langs: ${{ steps.show-langs.outputs.langs }}
steps: steps:
@ -55,6 +57,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
@ -73,6 +77,7 @@ jobs:
- langs - langs
if: ${{ needs.changes.outputs.docs == 'true' }} if: ${{ needs.changes.outputs.docs == 'true' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 7
strategy: strategy:
matrix: matrix:
lang: ${{ fromJson(needs.langs.outputs.langs) }} lang: ${{ fromJson(needs.langs.outputs.langs) }}
@ -91,6 +96,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

2
.github/workflows/contributors.yml
View File

@ -33,6 +33,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

3
.github/workflows/deploy-docs.yml
View File

@ -16,6 +16,7 @@ jobs:
issues: write issues: write
pull-requests: write pull-requests: write
statuses: write statuses: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -31,6 +32,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: false enable-cache: false
- name: Install GitHub Actions dependencies - name: Install GitHub Actions dependencies

1
.github/workflows/detect-conflicts.yml
View File

@ -12,6 +12,7 @@ jobs:
contents: read contents: read
pull-requests: write pull-requests: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Check if PRs have merge conflicts - name: Check if PRs have merge conflicts
uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3 uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3

1
.github/workflows/guard-dependencies.yml
View File

@ -15,6 +15,7 @@ permissions:
jobs: jobs:
check-author: check-author:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Check if author is org member or allowed bot - name: Check if author is org member or allowed bot
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0

1
.github/workflows/issue-manager.yml
View File

@ -23,6 +23,7 @@ jobs:
permissions: permissions:
issues: write issues: write
pull-requests: write pull-requests: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:

3
.github/workflows/label-approved.yml
View File

@ -13,6 +13,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
pull-requests: write pull-requests: write
timeout-minutes: 7
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -28,6 +29,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

2
.github/workflows/labeler.yml
View File

@ -17,6 +17,7 @@ jobs:
contents: read contents: read
pull-requests: write pull-requests: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }} if: ${{ github.event.action != 'labeled' && github.event.action != 'unlabeled' }}
@ -28,6 +29,7 @@ jobs:
permissions: permissions:
pull-requests: read pull-requests: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65 - uses: agilepathway/label-checker@c3d16ad512e7cea5961df85ff2486bb774caf3c5 # v1.6.65
with: with:

1
.github/workflows/latest-changes.yml
View File

@ -22,6 +22,7 @@ jobs:
latest-changes: latest-changes:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:

3
.github/workflows/notify-translations.yml
View File

@ -24,6 +24,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
discussions: write discussions: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -39,6 +40,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

2
.github/workflows/people.yml
View File

@ -33,6 +33,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

4
.github/workflows/pre-commit.yml
View File

@ -15,6 +15,7 @@ env:
jobs: jobs:
pre-commit: pre-commit:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -48,6 +49,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -84,6 +87,7 @@ jobs:
needs: needs:
- pre-commit - pre-commit
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:

3
.github/workflows/publish.yml
View File

@ -13,6 +13,7 @@ jobs:
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -28,6 +29,8 @@ jobs:
- name: Install uv - name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: "false" enable-cache: "false"
- name: Build distribution - name: Build distribution

3
.github/workflows/smokeshow.yml
View File

@ -12,6 +12,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
statuses: write statuses: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
@ -27,6 +28,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml

3
.github/workflows/sponsors.yml
View File

@ -18,6 +18,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -33,6 +34,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

2
.github/workflows/test-redistribute.yml
View File

@ -14,6 +14,7 @@ permissions: {}
jobs: jobs:
test-redistribute: test-redistribute:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -57,6 +58,7 @@ jobs:
needs: needs:
- test-redistribute - test-redistribute
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Decide whether the needed jobs succeeded or failed - name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2

11
.github/workflows/test.yml
View File

@ -25,6 +25,7 @@ jobs:
permissions: permissions:
pull-requests: read pull-requests: read
# Set job outputs to values from filter step # Set job outputs to values from filter step
timeout-minutes: 5
outputs: outputs:
src: ${{ steps.filter.outputs.src }} src: ${{ steps.filter.outputs.src }}
steps: steps:
@ -50,6 +51,7 @@ jobs:
needs: needs:
- changes - changes
if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master' if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master'
timeout-minutes: 10
strategy: strategy:
matrix: matrix:
os: [ windows-latest, macos-latest ] os: [ windows-latest, macos-latest ]
@ -118,6 +120,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
@ -161,6 +165,7 @@ jobs:
- changes - changes
if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master' if: needs.changes.outputs.src == 'true' || github.ref == 'refs/heads/master'
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
env: env:
UV_PYTHON: "3.13" UV_PYTHON: "3.13"
UV_RESOLUTION: highest UV_RESOLUTION: highest
@ -179,6 +184,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
@ -196,6 +203,7 @@ jobs:
needs: needs:
- test - test
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -210,6 +218,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
@ -241,6 +251,7 @@ jobs:
- coverage-combine - coverage-combine
- benchmark - benchmark
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:

3
.github/workflows/topic-repos.yml
View File

@ -13,6 +13,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: write contents: write
timeout-minutes: 5
steps: steps:
- name: Dump GitHub context - name: Dump GitHub context
env: env:
@ -28,6 +29,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |

4
.github/workflows/translate.yml
View File

@ -60,6 +60,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml
@ -101,6 +103,8 @@ jobs:
- name: Setup uv - name: Setup uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# Before upgrading uv version, make sure astral-sh/setup-uv knows its checksum.
# See: https://github.com/astral-sh/setup-uv/issues/851#issuecomment-4282017837
version: "0.11.4" version: "0.11.4"
cache-dependency-glob: | cache-dependency-glob: |
pyproject.toml pyproject.toml

24
.github/workflows/zizmor.yml
View File

@ -0,0 +1,24 @@
name: Zizmor
on:
push:
branches:
- main
workflow_dispatch:
permissions: {}
jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

2
.pre-commit-config.yaml
View File

@ -96,6 +96,6 @@ repos:
name: zizmor name: zizmor
language: python language: python
entry: uv run zizmor . entry: uv run zizmor .
files: ^\.github\/workflows\/ files: ^\.github/workflows/|^uv\.lock$
require_serial: true require_serial: true
pass_filenames: false pass_filenames: false

Write Preview
Loading…
Cancel
Save