From 2f01c2119f1294c5acd60e24aea5442a040638ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Sun, 2 Nov 2025 18:34:27 -0500 Subject: [PATCH 1/4] [DEVOPS-917] define cooldown for dependabot and add an empty zizmor config file --- .github/dependabot.yml | 6 ++++-- zizmor.yml | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 49ba8e65..e346f3da 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" - schedule: - interval: "monthly" target-branch: "develop" + schedule: + interval: "weekly" + cooldown: + default-days: 4 diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 00000000..01c57e82 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1 @@ +rules: From a2072bc94d6f1cdc80c9da093cb22b0888246339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Sun, 2 Nov 2025 18:35:24 -0500 Subject: [PATCH 2/4] [DEVOPS-917] add zizmor security scan --- .github/workflows/security_scan.yml | 43 +++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/security_scan.yml diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml new file mode 100644 index 00000000..0060b34d --- /dev/null +++ b/.github/workflows/security_scan.yml @@ -0,0 +1,43 @@ +name: Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: + - develop + - main + - release/** + - feature/** + - hotfix/** + push: + branches: + - develop + - main + - release/** + - feature/** + - hotfix/** + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + call-workflow-zizmor-annotate: + name: Zizmor analysis (advanced security) + if: ${{ github.event_name != 'pull_request' }} + permissions: + security-events: write + contents: read + actions: read + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-advanced-security.yml@v2 + + call-workflow-zizmor-advanced-security: + name: Zizmor analysis (annotate) + if: ${{ github.event_name == 'pull_request' }} + permissions: + checks: write + contents: read + actions: read + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-annotate.yml@v2 From 7c2852c0d786366c235d525c425b5367ad075961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Sun, 2 Nov 2025 18:36:37 -0500 Subject: [PATCH 3/4] [DEVOPS-917] point workflows to CI-tools @v2 instead of main --- .github/workflows/issue_to_jira.yml | 2 +- .github/workflows/pr_add_jira_summary.yml | 2 +- .github/workflows/python_analysis.yml | 4 ++-- .github/workflows/python_deploy_dev.yml | 4 ++-- .github/workflows/python_deploy_prod.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index a187c3a0..682299e1 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -6,7 +6,7 @@ on: jobs: call-workflow-create-jira-issue: - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@v2 secrets: inherit with: project-key: 'GEOPY' diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 794bf3f0..4ac2e39c 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -6,5 +6,5 @@ on: jobs: call-workflow-add-jira-issue-summary: - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@v2 secrets: inherit diff --git a/.github/workflows/python_analysis.yml b/.github/workflows/python_analysis.yml index 9db19bde..514e0817 100644 --- a/.github/workflows/python_analysis.yml +++ b/.github/workflows/python_analysis.yml @@ -24,14 +24,14 @@ concurrency: jobs: call-workflow-static-analysis: name: Static analysis - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@v2 with: package-manager: 'poetry' app-name: 'omf' python-version: '3.10' call-workflow-pytest: name: Pytest - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@v2 with: package-manager: 'poetry' python-versions: '["3.10", "3.11", "3.12"]' diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml index f467dfaf..4600332b 100644 --- a/.github/workflows/python_deploy_dev.yml +++ b/.github/workflows/python_deploy_dev.yml @@ -12,7 +12,7 @@ concurrency: jobs: call-workflow-conda-publish: name: Publish development conda package on JFrog Artifactory - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@v2 with: package-name: 'mira-omf' python-version: '3.10' @@ -24,7 +24,7 @@ jobs: JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }} call-workflow-pypi-publish: name: Publish development pypi package (JFrog Artifactory, TestPyPI) - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@v2 with: package-manager: 'poetry' package-name: 'mira-omf' diff --git a/.github/workflows/python_deploy_prod.yml b/.github/workflows/python_deploy_prod.yml index b94c2ba2..7b10aeb3 100644 --- a/.github/workflows/python_deploy_prod.yml +++ b/.github/workflows/python_deploy_prod.yml @@ -27,7 +27,7 @@ jobs: call-workflow-conda-release: name: Publish production Conda package on JFrog Artifactory if: ${{ github.event_name == 'release' || github.event.inputs.publish-conda == 'true' }} - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@v2 with: virtual-repo-names: '["public-noremote-conda-prod"]' release-tag: ${{ github.event.release.tag_name || github.event.inputs.release-tag }} @@ -37,7 +37,7 @@ jobs: call-workflow-pypi-release: name: Publish production PyPI package (JFrog Artifactory, PyPI) if: ${{ github.event_name == 'release' || github.event.inputs.publish-pypi == 'true' }} - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@v2 with: package-name: 'mira-omf' virtual-repo-names: '["public-pypi-prod", "pypi"]' From 07219391f1c3b37c9454eac78a96faf73d8331ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Hensgen?= <24550538+sebhmg@users.noreply.github.com> Date: Sun, 2 Nov 2025 21:09:59 -0500 Subject: [PATCH 4/4] [DEVOPS-917] address security report in workflows --- .github/workflows/issue_to_jira.yml | 10 +++++++++- .github/workflows/pr_add_jira_summary.yml | 12 ++++++++++-- .github/workflows/python_analysis.yml | 8 ++++++++ .github/workflows/python_deploy_dev.yml | 6 ++++++ .github/workflows/python_deploy_prod.yml | 6 ++++++ 5 files changed, 39 insertions(+), 3 deletions(-) diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 682299e1..fabc728a 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -4,10 +4,18 @@ on: issues: types: [opened] +permissions: {} + jobs: call-workflow-create-jira-issue: uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@v2 - secrets: inherit + permissions: + contents: read + issues: write with: project-key: 'GEOPY' components: '[{"name": "OMF"}]' + secrets: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 4ac2e39c..24273150 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -1,10 +1,18 @@ name: Add JIRA issue summary on: - pull_request_target: + pull_request: types: [opened] +permissions: {} + jobs: call-workflow-add-jira-issue-summary: uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@v2 - secrets: inherit + permissions: + contents: read + pull-requests: write + secrets: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} diff --git a/.github/workflows/python_analysis.yml b/.github/workflows/python_analysis.yml index 514e0817..e617b247 100644 --- a/.github/workflows/python_analysis.yml +++ b/.github/workflows/python_analysis.yml @@ -17,6 +17,8 @@ on: - feature/** - hotfix/** +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -25,6 +27,9 @@ jobs: call-workflow-static-analysis: name: Static analysis uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@v2 + permissions: + contents: read + pull-requests: read with: package-manager: 'poetry' app-name: 'omf' @@ -32,6 +37,9 @@ jobs: call-workflow-pytest: name: Pytest uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@v2 + permissions: + contents: read + pull-requests: read with: package-manager: 'poetry' python-versions: '["3.10", "3.11", "3.12"]' diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml index 4600332b..de15e8ec 100644 --- a/.github/workflows/python_deploy_dev.yml +++ b/.github/workflows/python_deploy_dev.yml @@ -5,6 +5,8 @@ on: tags: - 'v*' # Push events to every version tag (eg. v1.0.0) +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true @@ -13,6 +15,8 @@ jobs: call-workflow-conda-publish: name: Publish development conda package on JFrog Artifactory uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@v2 + permissions: + contents: write with: package-name: 'mira-omf' python-version: '3.10' @@ -25,6 +29,8 @@ jobs: call-workflow-pypi-publish: name: Publish development pypi package (JFrog Artifactory, TestPyPI) uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@v2 + permissions: + contents: write with: package-manager: 'poetry' package-name: 'mira-omf' diff --git a/.github/workflows/python_deploy_prod.yml b/.github/workflows/python_deploy_prod.yml index 7b10aeb3..229d920c 100644 --- a/.github/workflows/python_deploy_prod.yml +++ b/.github/workflows/python_deploy_prod.yml @@ -19,6 +19,8 @@ on: type: boolean default: true +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }} cancel-in-progress: true @@ -28,6 +30,8 @@ jobs: name: Publish production Conda package on JFrog Artifactory if: ${{ github.event_name == 'release' || github.event.inputs.publish-conda == 'true' }} uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@v2 + permissions: + contents: write with: virtual-repo-names: '["public-noremote-conda-prod"]' release-tag: ${{ github.event.release.tag_name || github.event.inputs.release-tag }} @@ -38,6 +42,8 @@ jobs: name: Publish production PyPI package (JFrog Artifactory, PyPI) if: ${{ github.event_name == 'release' || github.event.inputs.publish-pypi == 'true' }} uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@v2 + permissions: + contents: write with: package-name: 'mira-omf' virtual-repo-names: '["public-pypi-prod", "pypi"]'