woodruffw opened a new pull request, #687: URL: https://github.com/apache/opendal-reqsign/pull/687
Hi there! [uv](https://github.com/astral-sh/uv) is a downstream user of this crate, and as a result we have an interest in ensuring your CI/CD is as secure, hermetic, and reproducible as possible 🙂 To that end, this PR has a series of commits (each of which can be reviewed separately) that will hopefully improve your default posture. These changes were made based on findings from [zizmor](https://docs.zizmor.sh). To summarize: 1. All actions references are now hash-pinned, to prevent unexpected tag mutation. Dependabot will handle updating these hash-pins for you. 2. Dependabot itself now enforces a seven-day cooldown, to reduce the risk of quickly adopting a compromised dependency. 3. I've minimized all permissions and credential persistence risks in all workflows. This should be **reviewed carefully**, since it's hard to predict ahead-of-time whether some permissions were being used implicitly. 4. I've eliminated all flagged template injection risks. Most of these are not exploitable in practice, but intermediating expressions with shell variables `${FOO}` instead of `${{ foo }}` is a best practice anyways. After all of that, the only remaining default finding is this: ``` info[use-trusted-publishing]: prefer trusted publishing for authentication --> ./.github/workflows/release.yml:40:14 | 40 | - run: cargo publish --workspace | --- ^^^^^^^^^^^^^^^^^^^^^^^^^ this command | | | this step | = note: audit confidence → High ``` To fix that one, one of the maintainers will need to set up [Trusted Publishing](https://crates.io/docs/trusted-publishing) and remove your current manual crates.io token. I strongly recommend doing this as a way to reduce your credential exposure risk 🙂 Finally, I've done all this without adding a workflow that will proactively catch new CI/CD issues. However, if you're interested in that, I'd be happy to add one. Signed-off-by: William Woodruff <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
