Merge pull request #24 from MiraGeoscience/Feature_zizmor_security

added zizmor security to workflow

Author: andrewg-mira

.github/workflows/issue_to_jira.yml

@@ -1,6 +1,10 @@
 # This workflow will create a JIRA issue upon creation of a GitHub issue
 
 name: Create JIRA issue
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
 
 on:
   issues:
@@ -12,14 +16,14 @@ jobs:
 
     steps:
     - name: JIRA Login
-      uses: atlassian/gajira-login@v3.0.1
+      uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026
       env:
         JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
         JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
         JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
     - name: Jira Create issue
       id: create_jira_issue
-      uses: atlassian/gajira-create@v3.0.1
+      uses: atlassian/gajira-create@59e177c4f6451399df5b4911c2211104f171e669
       with:
         project: GEOPY
         issuetype: Story
@@ -28,9 +32,9 @@ jobs:
         # Additional fields in JSON format
         #fields: '{"components": [{"name": "grid-apps"}]}'
     - name: Post JIRA link
-      uses: peter-evans/create-or-update-comment@v3
+      uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2
       with:
         # The number of the issue or pull request in which to create a comment.
         issue-number: ${{ github.event.issue.number }}
         # The comment body.
-        body: "JIRA issue [${{ steps.create_jira_issue.outputs.issue }}] was created."
+        body: "JIRA issue [${{ steps.create_jira_issue.outputs.issue }}] was created."

.github/workflows/pr_add_jira_summary.yml

@@ -1,64 +1,83 @@
 # This workflow will comment the PR with the JIRA issue summary
 # if a JIRA issue number is detected in the branch name or title
 
-name: Add JIRA issue summary
+name: Add JIRA Summary to PR
+
+permissions:
+  contents: read
+  pull-requests: write
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened]
 
 jobs:
   add_jira_summary:
+    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
 
     steps:
-    - name: Find JIRA issue key
-      id: find_jira_key
-      env:
-        HEAD_REF: ${{ github.head_ref}}
-        PR_TITLE: ${{ github.event.pull_request.title }}
-      run: >
-        echo $HEAD_REF $PR_TITLE
-        | echo "issue_key=$(
-        grep -osi "\b\(GA\|GEOPY\|DEVOPS\)[ #-]*[0-9]\+"
-        | head -n1
-        | sed -E "s/([A-Z]+)[-# ]*([0-9]+)/\1-\2/i"
-        | tr [:lower:] [:upper:]
-        )"
-        >> $GITHUB_OUTPUT
-    - name: Get JIRA summary
-      id: get_jira_summary
-      if: ${{ steps.find_jira_key.outputs.issue_key }}
-      env:
-        JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
-        JIRA_BASIC_AUTH: ${{ secrets.JIRA_BASIC_AUTH }}
-      run: >
-        curl -sS -X GET
-        -H "Authorization: Basic $JIRA_BASIC_AUTH"
-        -H "Content-Type: application/json"
-        "$JIRA_BASE_URL/rest/api/2/issue/${{ steps.find_jira_key.outputs.issue_key }}"
-        | echo "summary=$(jq -r '.fields.summary // empty')" >> $GITHUB_OUTPUT
-    - name: Extract PR title
-      id: get_pr_title
-      env:
-        PR_TITLE: ${{ github.event.pull_request.title }}
-      run: |
-        echo "text=$(echo $PR_TITLE | sed -E "s/^\s*[?[A-Z]+[-# ]*[0-9]+]?[-: ]*(.*)/\1/i")" >> $GITHUB_OUTPUT
-    - name: Add comment
-      if: ${{ steps.find_jira_key.outputs.issue_key }}
-      env:
-        ISSUE_SUMMARY: ${{ steps.get_jira_summary.outputs.summary }}
-        TITLE_TEXT: ${{ steps.get_pr_title.outputs.text }}
-        PR_BODY: ${{ github.event.pull_request.body }}
-      run: >
-        jq
-        --arg ISSUE_ID "${{ steps.find_jira_key.outputs.issue_key }}"
-        --arg ISSUE_SUMMARY "$(cat <<< $ISSUE_SUMMARY)"
-        --arg TITLE_TEXT "$(cat <<< ${TITLE_TEXT:-$ISSUE_SUMMARY})"
-        --arg PR_BODY "$(cat <<< $PR_BODY)"
-        -c '{"title": ($ISSUE_ID + ": " + $TITLE_TEXT), "body": ("**" + $ISSUE_ID + " - " + $ISSUE_SUMMARY + "**\n" + $PR_BODY)}' <<< {}
-        | curl -sS -X POST -d @-
-        -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}"
-        -H "Content-Type: application/json"
-        "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/pulls/${{ github.event.pull_request.number }}"
-        > /dev/null
+      - name: Find JIRA issue key
+        id: find_jira_key
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          echo "$HEAD_REF $PR_TITLE" \
+          | grep -osi "\b\(GA\|GEOPY\|DEVOPS\)[ #-]*[0-9]\+" \
+          | head -n1 \
+          | sed -E "s/([A-Z]+)[-# ]*([0-9]+)/\1-\2/i" \
+          | tr '[:lower:]' '[:upper:]' \
+          | xargs -I {} echo "issue_key={}" >> $GITHUB_OUTPUT
+
+      - name: Get JIRA summary
+        id: get_jira_summary
+        if: ${{ steps.find_jira_key.outputs.issue_key }}
+        env:
+          JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+          JIRA_BASIC_AUTH: ${{ secrets.JIRA_BASIC_AUTH }}
+          ISSUE_KEY: ${{ steps.find_jira_key.outputs.issue_key }}
+        run: |
+          curl -sS -X GET \
+            -H "Authorization: Basic $JIRA_BASIC_AUTH" \
+            -H "Content-Type: application/json" \
+            "$JIRA_BASE_URL/rest/api/2/issue/$ISSUE_KEY" \
+          | jq -r '.fields.summary // empty' \
+          | xargs -I {} echo "summary={}" >> $GITHUB_OUTPUT
+
+      - name: Extract PR title
+        id: get_pr_title
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          echo "text=$(echo "$PR_TITLE" | sed -E 's/^\s*[?[A-Z]+[-# ]*[0-9]+]?[-: ]*(.*)/\1/i')" >> $GITHUB_OUTPUT
+
+      - name: Add comment
+        if: ${{ steps.find_jira_key.outputs.issue_key }}
+        env:
+          ISSUE_KEY: ${{ steps.find_jira_key.outputs.issue_key }}
+          ISSUE_SUMMARY: ${{ steps.get_jira_summary.outputs.summary }}
+          TITLE_TEXT: ${{ steps.get_pr_title.outputs.text }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_API_URL: ${{ github.api_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          FINAL_TITLE="${TITLE_TEXT:-$ISSUE_SUMMARY}"
+          COMMENT_PAYLOAD=$(jq -c --null-input \
+            --arg ISSUE_ID "$ISSUE_KEY" \
+            --arg ISSUE_SUMMARY "$ISSUE_SUMMARY" \
+            --arg TITLE_TEXT "$FINAL_TITLE" \
+            --arg PR_BODY "$PR_BODY" \
+            '{
+              title: ($ISSUE_ID + ": " + $TITLE_TEXT),
+              body: ("**" + $ISSUE_ID + " - " + $ISSUE_SUMMARY + "**\n" + $PR_BODY)
+            }')
+
+          curl -sS -X POST \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "$COMMENT_PAYLOAD" \
+            "$GITHUB_API_URL/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER" \
+          > /dev/null

.github/workflows/pytest-unix-os.yml

@@ -17,6 +17,10 @@ on:
       - feature/**
       - hotfix/**
 
+permissions:
+  contents: read
+  pull-requests: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -40,17 +44,28 @@ jobs:
     env:
       PYTHONUTF8: 1
       CONDA_CHANNEL_PRIORITY: strict
-      PIP_NO_DEPS: 1 # all dependencies are installed from conda
+      PIP_NO_DEPS: 1
       CONDA_LOCK_ENV_FILE: environments/py-${{ matrix.python_ver }}-${{ startsWith(matrix.os, 'macos') && 'osx' || 'linux' }}-64-dev.conda.lock.yml
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           lfs: true
+          persist-credentials: false
+
       - name: Setup conda env
-        uses: mamba-org/setup-micromamba@v1
+        uses: mamba-org/setup-micromamba@4b9113af4fba0e9e1124b252dd6497a419e7396d
         with:
           environment-file: ${{ env.CONDA_LOCK_ENV_FILE }}
           environment-name: test_env
           cache-downloads: true
+
       - name: pytest
         run: pytest --cov --cov-report=xml
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage.xml
+          flags: unix

.github/workflows/pytest-windows.yml

@@ -1,5 +1,9 @@
 name: pytest on Windows
 
+permissions:
+  contents: read
+  pull-requests: read
+
 on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
@@ -42,11 +46,12 @@ jobs:
       PIP_NO_DEPS: 1 # all dependencies are installed from conda
       CONDA_LOCK_ENV_FILE: environments/py-${{ matrix.python_ver }}-win-64-dev.conda.lock.yml
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           lfs: true
+          persist-credentials: false
       - name: Setup conda env
-        uses: mamba-org/setup-micromamba@v1
+        uses: mamba-org/setup-micromamba@4b9113af4fba0e9e1124b252dd6497a419e7396d
         with:
           environment-file: ${{ env.CONDA_LOCK_ENV_FILE }}
           environment-name: test_env
@@ -56,7 +61,7 @@ jobs:
         run: pytest --cov --cov-report=xml
       - name: Codecov
         if: ${{ success() && matrix.python_ver == '3.10' }}
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457
         with:
           name: GitHub
-          token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
+          token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos

.github/workflows/static-analysis.yml

@@ -1,5 +1,9 @@
 name: static analysis
 
+permissions:
+  contents: read
+
+
 on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
@@ -27,30 +31,44 @@ env:
 jobs:
   pre-commit:
     name: pre-commit
-    if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
+    #if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     strategy:
       fail-fast: false
     runs-on: ubuntu-latest
     env:
       SKIP: pylint
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+        with:
+          persist-credentials: true
+      - name: Setup conda env
+        uses: mamba-org/setup-micromamba@4b9113af4fba0e9e1124b252dd6497a419e7396d
+        with:
+          environment-file: environments/py-3.10-linux-64-dev.conda.lock.yml
+          environment-name: linter_env
+          cache-downloads: true
+      - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c
+      - name: Set base_ref
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "BASE_REF<<EOF" >> $GITHUB_ENV
+          echo "${GITHUB_BASE_REF}" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
       - name: capture modified files
         if: github.event_name == 'pull_request'
         run: >-
-          git fetch --deepen=500 origin ${{github.base_ref}}
+          git fetch --deepen=500 origin "$BASE_REF"
           && echo "FILES_PARAM=$(
-          git diff --diff-filter=AM --name-only refs/remotes/origin/${{github.base_ref}}... -- | grep -E "^(${source_dir}|tests)/.*\.py$" | xargs
+          git diff --diff-filter=AM --name-only refs/remotes/origin/"$BASE_REF"... -- | grep -E "^(${source_dir}|tests)/.*\.py$" | xargs
           )" >> $GITHUB_ENV
       - name: Run pre-commit on modified files
         if: github.event_name == 'pull_request' && env.FILES_PARAM
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:
           extra_args: --hook-stage push --files ${{ env.FILES_PARAM }}
       - name: Run pre-commit on all files
         if: github.event_name == 'push'
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:
           extra_args: --hook-stage push --all-files
 
@@ -67,23 +85,39 @@ jobs:
       PIP_NO_DEPS: 1 # all dependencies are installed from conda
       CONDA_LOCK_ENV_FILE: environments/py-3.10-linux-64-dev.conda.lock.yml
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2
+        with:
+          persist-credentials: true
       - name: Setup conda env
-        uses: mamba-org/setup-micromamba@v1
+        uses: mamba-org/setup-micromamba@feb7656f829886af1ab11cf61126b048557b2e19
         with:
           environment-file: ${{ env.CONDA_LOCK_ENV_FILE }}
           environment-name: linter_env
           cache-downloads: true
+      - name: Set base_ref
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "BASE_REF<<EOF" >> $GITHUB_ENV
+          echo "${GITHUB_BASE_REF}" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
       - name: capture modified files
         if: github.event_name == 'pull_request'
         run: >-
-          git fetch --deepen=500 origin ${{github.base_ref}}
+          git fetch --deepen=500 origin "$BASE_REF"
           && echo "FILES_PARAM=$(
-          git diff --diff-filter=AM --name-only refs/remotes/origin/${{github.base_ref}}... -- | grep -E "^(${source_dir}|tests)/.*\.py$" | xargs
+          git diff --diff-filter=AM --name-only refs/remotes/origin/"$BASE_REF"... -- | grep -E "^(${source_dir}|tests)/.*\.py$" | xargs
           )" >> $GITHUB_ENV
       - name: Run pylint on modified files
         if: github.event_name == 'pull_request' && env.FILES_PARAM
         run: pylint $FILES_PARAM
       - name: Run pylint on all files
         if: github.event_name == 'push'
         run: pylint $source_dir tests
+  call-workflow-zizmor:
+    name: Zizmor Security Scan
+    permissions:
+      contents: read
+      actions: read
+    uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-security.yml@feature_zizmor_security
+    with:
+      app-name: 'grid-apps'