Skip to content

Commit c42df68

Browse files
committed
fix: remediate security issues in workflows
Signed-off-by: John McCall <john@overturemaps.org>
1 parent 7162a0d commit c42df68

4 files changed

Lines changed: 27 additions & 26 deletions

File tree

.github/workflows/check-python-code.yaml

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Check Python package code
22

33
on:
4-
pull_request_target:
4+
pull_request:
55
paths:
66
- 'packages/**'
77
- 'pyproject.toml'
@@ -16,12 +16,9 @@ on:
1616
jobs:
1717
check:
1818
runs-on: ubuntu-latest
19-
if: github.event.pull_request.head.repo.full_name == github.repository
2019

2120
steps:
22-
- uses: actions/checkout@v4
23-
with:
24-
ref: ${{ github.event.pull_request.head.sha }}
21+
- uses: actions/checkout@v6
2522

2623
- name: Install uv
2724
uses: astral-sh/setup-uv@v4

.github/workflows/check-python-package-versions.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Check Python package version numbers
22

33
on:
4-
pull_request_target:
4+
pull_request:
55
paths:
66
- '**/pyproject.toml'
77
- 'packages/**/__about__.py'
@@ -12,7 +12,6 @@ permissions:
1212

1313
jobs:
1414
check:
15-
if: github.event.pull_request.head.repo.full_name == github.repository
1615
uses: ./.github/workflows/reusable-check-python-package-versions.yaml
1716
with:
1817
before_commit: ${{ github.event.pull_request.base.sha }}

.github/workflows/publish-python-packages.yaml

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ on:
66
paths:
77
- '**/pyproject.toml'
88
- 'packages/**/__about__.py'
9+
workflow_dispatch:
910
inputs:
1011
aws_iam_role_name:
1112
description: The name of the IAM role to assume for accessing CodeArtifact
@@ -64,16 +65,18 @@ jobs:
6465
- name: Get CodeArtifact publish URL
6566
id: get-code-artifact-params
6667
run: |
67-
echo 'token<<EOF' >> $GITHUB_OUTPUT
68-
./.github/workflows/scripts/code-artifact.sh token \
69-
505071440022 us-west-2 overture-pypi >> $GITHUB_OUTPUT
70-
echo EOF >> $GITHUB_OUTPUT
71-
echo 'publish_url<<EOF' >> $GITHUB_OUTPUT
72-
./.github/workflows/scripts/code-artifact.sh publish-url \
73-
505071440022 us-west-2 overture-pypi overture >> $GITHUB_OUTPUT
74-
echo EOF >> $GITHUB_OUTPUT
68+
token=$(./.github/workflows/scripts/code-artifact.sh token \
69+
505071440022 us-west-2 overture-pypi)
70+
echo "::add-mask::${token}"
71+
echo "token=${token}" >> $GITHUB_OUTPUT
72+
publish_url=$(./.github/workflows/scripts/code-artifact.sh publish-url \
73+
505071440022 us-west-2 overture-pypi overture)
74+
echo "publish_url=${publish_url}" >> $GITHUB_OUTPUT
7575
7676
- name: Publish package ${{ matrix.package }} version ${{ matrix.after }} to PyPI
77+
env:
78+
CA_TOKEN: ${{ steps.get-code-artifact-params.outputs.token }}
79+
CA_PUBLISH_URL: ${{ steps.get-code-artifact-params.outputs.publish_url }}
7780
run: |
7881
package="${{ matrix.package }}"
7982
before="${{ matrix.before }}"
@@ -91,5 +94,5 @@ jobs:
9194
exit 1
9295
fi
9396
uv publish "$wheel" "$tarball" \
94-
-t "${{ steps.get-code-artifact-params.outputs.token }}" \
95-
--publish-url "${{ steps.get-code-artifact-params.outputs.publish_url }}"
97+
-t "${CA_TOKEN}" \
98+
--publish-url "${CA_PUBLISH_URL}"

.github/workflows/reusable-check-python-package-versions.yaml

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -62,17 +62,17 @@ jobs:
6262
run: sudo apt-get update && sudo apt-get install -y jq
6363

6464
- name: Install uv
65-
uses: astral-sh/setup-uv@v4
65+
uses: astral-sh/setup-uv@v7
6666
with:
6767
version: latest
6868

6969
- name: Set up Python
70-
uses: actions/setup-python@v5
70+
uses: actions/setup-python@v6
7171
with:
72-
python-version: "3.10"
72+
python-version-file: .python-version
7373

7474
- name: Check out code before change
75-
uses: actions/checkout@v4
75+
uses: actions/checkout@v6
7676
with:
7777
ref: ${{ inputs.before_commit }}
7878

@@ -123,20 +123,22 @@ jobs:
123123
id: get-code-artifact-index-url
124124
if: steps.save-changes.outputs.num_changed_packages > 0
125125
run: |
126-
echo 'index_url<<EOF' >> $GITHUB_OUTPUT
127-
./.github/workflows/scripts/code-artifact.sh index-url \
126+
index_url=$(./.github/workflows/scripts/code-artifact.sh index-url \
128127
"${{ inputs.aws_account_id }}" "${{ inputs.aws_region }}" \
129-
"${{ inputs.domain }}" "${{ inputs.repository }}" >> $GITHUB_OUTPUT
130-
echo EOF >> $GITHUB_OUTPUT
128+
"${{ inputs.domain }}" "${{ inputs.repository }}")
129+
echo "::add-mask::${index_url}"
130+
echo "index_url=${index_url}" >> $GITHUB_OUTPUT
131131
132132
- name: Fail if any of the new versions already exist in the repo
133133
if: steps.save-changes.outputs.num_changed_packages > 0
134+
env:
135+
INDEX_URL: ${{ steps.get-code-artifact-index-url.outputs.index_url }}
134136
run: |
135137
jq -c '.[]' /tmp/package-version-diff.json | while read -r entry; do
136138
package=$(echo "$entry" | jq -r '.package')
137139
after=$(echo "$entry" | jq -r '.after')
138140
exit_code=0
139-
output=$(uv run pip download "${package}==${after}" --index-url "${{ steps.get-code-artifact-index-url.outputs.index_url }}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
141+
output=$(uv run pip download "${package}==${after}" --index-url "${INDEX_URL}" --no-deps -d /tmp --quiet 2>&1) || exit_code=$?
140142
if [[ $exit_code -eq 0 || (
141143
"${output,,}" != *"could not find a version"* &&
142144
"${output,,}" != *"no matching distributions"*

0 commit comments

Comments
 (0)