Skip to content

Commit 9c19d8d

Browse files
committed
Merge #24: Address code scanning results
7712c69 ci(dependabot): Configure cooldown (valued mammal) d0b0596 ci: Limit token permissions (valued mammal) edce0c3 ci: Pin `setup-rust-toolchain` to a commit (valued mammal) 7f18365 ci: Bump `actions/checkout` to v6 (valued mammal) 3c437a2 ci: Set `persist-credentials` false on checkout (valued mammal) 346367b ci(audit): Remove undefined `deny` input from rustsec/audit-check (valued mammal) Pull request description: ### Description This PR is meant to address the warnings surfaced by zizmor's code scanning results. See the [Security tab](https://github.com/bitcoindevkit/bdk-bitcoind-client/security/code-scanning) for details. Key changes - No longer persist credentials upon checking out the repository - Ensure actions are pinned to a commit hash - Fix overly broad permissions - Configure cooldown (7 days) of dependabot updates - Update `actions/checkout` to actions/checkout@8e8c483 (v6) ### Notes to the reviewers The `audit.yml` workflow was setting a "deny" action input to be used by `rustsec/audit-check`, but according to the [documentation](https://github.com/rustsec/audit-check?tab=readme-ov-file#inputs) this doesn't appear to be a valid input, hence removed it in 346367b. ### Changelog notice - ci: Bump `actions/checkout` to v6 ### Checklists #### All Submissions: * [x] I've signed all my commits ACKs for top commit: luisschwab: ACK 7712c69 tvpeter: ACK 7712c69 Tree-SHA512: 8336bf63de3db31b5b9774578f192297d607b2e8053b68b3fe3d748f81579aec99f6d1a3565ef3fd41a2caf4ee0b30ccc04196075a4b316f151c3517e3d794c9
2 parents d1c66c2 + 7712c69 commit 9c19d8d

4 files changed

Lines changed: 57 additions & 43 deletions

File tree

.github/dependabot.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,21 @@
11
version: 2
2-
enable-beta-ecosystems: true
2+
enable-beta-ecosystems: true
33

44
updates:
5-
5+
66
- package-ecosystem: github-actions
77
directory: "/"
88
schedule:
9-
interval: daily
10-
time: "03:00"
11-
9+
interval: daily
10+
time: "03:00"
11+
cooldown:
12+
default-days: 7
13+
1214
- package-ecosystem: cargo
1315
directory: "/"
1416
schedule:
1517
interval: weekly
1618
day: monday
1719
time: "04:00"
18-
20+
cooldown:
21+
default-days: 7

.github/workflows/audit.yml

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,29 +10,31 @@ on:
1010
- '**/Cargo.toml'
1111
- '**/Cargo.lock'
1212
schedule:
13-
# weekly
14-
- cron: '0 0 * * 0'
13+
- cron: '0 0 * * 0' # At 00:00 on Sunday
1514
workflow_dispatch:
1615

1716
env:
1817
CARGO_TERM_COLOR: always
1918

20-
permissions:
21-
contents: read
22-
security-events: write
23-
issues: write
19+
permissions: {}
2420

2521
jobs:
2622
cargo-audit:
2723
name: RustSec Audit (vulnerabilities)
2824
runs-on: ubuntu-latest
2925
timeout-minutes: 15
26+
permissions:
27+
contents: read
28+
security-events: write
29+
issues: write
3030

3131
steps:
3232
- name: Checkout code
33-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
33+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
34+
with:
35+
persist-credentials: false
3436
- name: Install Rust toolchain and configure cache
35-
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c
37+
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
3638
with:
3739
toolchain: stable
3840
cache: true
@@ -47,4 +49,3 @@ jobs:
4749
uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998
4850
with:
4951
token: ${{ secrets.GITHUB_TOKEN }}
50-
deny: warnings

.github/workflows/cont_integration.yml

Lines changed: 23 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ on: [push, pull_request]
22

33
name: CI
44

5+
permissions: {}
6+
57
env:
68
CARGO_TERM_COLOR: always
79
RUST_BACKTRACE: 1
@@ -12,15 +14,16 @@ jobs:
1214
runs-on: ubuntu-latest
1315
steps:
1416
- name: Checkout
15-
uses: actions/checkout@v4
16-
17+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
18+
with:
19+
persist-credentials: false
1720
- name: Install Rust toolchain
18-
uses: actions-rust-lang/setup-rust-toolchain@v1
21+
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
1922
with:
2023
toolchain: stable
2124
components: rustfmt
2225
cache: true
23-
26+
2427
- name: Check fmt
2528
run: cargo fmt --all -- --check
2629

@@ -34,10 +37,11 @@ jobs:
3437
- --no-default-features
3538
- --all-features
3639
steps:
37-
- uses: actions/checkout@v4
38-
40+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
41+
with:
42+
persist-credentials: false
3943
- name: Install Rust toolchain
40-
uses: actions-rust-lang/setup-rust-toolchain@v1
44+
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
4145
with:
4246
toolchain: stable
4347
components: clippy
@@ -57,20 +61,21 @@ jobs:
5761
- --no-default-features
5862
- --all-features
5963
steps:
60-
- uses: actions/checkout@v4
61-
64+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
65+
with:
66+
persist-credentials: false
6267
- name: Install Rust toolchain
63-
uses: actions-rust-lang/setup-rust-toolchain@v1
68+
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
6469
with:
6570
toolchain: stable
6671
cache: true
67-
72+
6873
- name: Build
6974
run: cargo build ${{ matrix.features }} --verbose
70-
75+
7176
- name: Run unit tests
7277
run: cargo test ${{ matrix.features }} --lib --verbose
73-
78+
7479
- name: Run doc tests
7580
run: cargo test ${{ matrix.features }} --doc --verbose
7681

@@ -79,13 +84,14 @@ jobs:
7984
name: MSRV
8085
runs-on: ubuntu-latest
8186
steps:
82-
- uses: actions/checkout@v4
83-
87+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
88+
with:
89+
persist-credentials: false
8490
- name: Install Rust toolchain
85-
uses: actions-rust-lang/setup-rust-toolchain@v1
91+
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
8692
with:
8793
toolchain: 1.75.0
8894
cache: true
89-
95+
9096
- name: Check MSRV
9197
run: cargo check --all-features

.github/workflows/zizmor.yml

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,30 @@
11
name: GitHub Actions Security Analysis with zizmor
22

33
on:
4-
pull_request:
4+
pull_request:
5+
branches: ["**"]
6+
push:
57
branches: ["**"]
6-
push:
7-
branches: ["**"]
88
schedule:
9-
- cron: '0 0 * * 0'
10-
workflow_dispatch:
9+
- cron: '0 0 * * 0' # At 00:00 on Sunday
10+
workflow_dispatch:
1111

12-
permissions:
13-
contents: read
14-
security-events: write
12+
permissions: {}
1513

1614
jobs:
1715
zizmor:
1816
name: zizmor security scan
1917
runs-on: ubuntu-latest
2018
timeout-minutes: 10
19+
permissions:
20+
contents: read
21+
security-events: write
22+
2123
steps:
2224
- name: Checkout repository
23-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
25+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
26+
with:
27+
persist-credentials: false
2428

25-
- name: Run zizmor
26-
uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95
29+
- name: Run zizmor
30+
uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95

0 commit comments

Comments
 (0)