Merge pull request #8689 from bluetech/backport-8681

[6.2.x] ci: few security/permissions improvements

Author: nicoddemus

.github/workflows/main.yml

@@ -14,10 +14,15 @@ on:
       - master
       - "[0-9]+.[0-9]+.x"
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 30
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -137,10 +142,13 @@ jobs:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
+
     - name: Set up Python ${{ matrix.python }}
       uses: actions/setup-python@v2
       with:
         python-version: ${{ matrix.python }}
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
@@ -171,52 +179,70 @@ jobs:
 
   linting:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
+
     - uses: actions/setup-python@v2
+
     - name: set PY
       run: echo "name=PY::$(python -c 'import hashlib, sys;print(hashlib.sha256(sys.version.encode()+sys.executable.encode()).hexdigest())')" >> $GITHUB_ENV
+
     - uses: actions/cache@v2
       with:
         path: ~/.cache/pre-commit
         key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install tox
+
     - run: tox -e linting
 
   deploy:
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags') && github.repository == 'pytest-dev/pytest'
 
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: write
 
     needs: [build]
 
     steps:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
+
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: "3.7"
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install --upgrade wheel setuptools tox
+
     - name: Build package
       run: |
         python setup.py sdist bdist_wheel
+
     - name: Publish package to PyPI
       uses: pypa/gh-action-pypi-publish@master
       with:
         user: __token__
         password: ${{ secrets.pypi_token }}
+
     - name: Publish GitHub release notes
       env:
-        GH_RELEASE_NOTES_TOKEN: ${{ secrets.release_notes }}
+        GH_RELEASE_NOTES_TOKEN: ${{ github.token }}
       run: |
         sudo apt-get install pandoc
         tox -e publish-gh-release-notes

.github/workflows/release-on-comment.yml

@@ -7,25 +7,34 @@ on:
   issue_comment:
     types: [created, edited]
 
+# Set permissions at the job level.
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
 
     if: (github.event.comment && startsWith(github.event.comment.body, '@pytestbot please')) || (github.event.issue && !github.event.comment && startsWith(github.event.issue.body, '@pytestbot please'))
 
     steps:
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: "3.8"
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install --upgrade setuptools tox
+
     - name: Prepare release
       run: |
-        tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ secrets.chatops }}
+        tox -e release-on-comment -- $GITHUB_EVENT_PATH ${{ github.token }}

scripts/release-on-comment.py

@@ -23,8 +23,8 @@
 
 After that, it will create a release using the `release` tox environment, and push a new PR.
 
-**Secret**: currently the secret is defined in the @pytestbot account, which the core maintainers
-have access to. There we created a new secret named `chatops` with write access to the repository.
+**Token**: currently the token from the GitHub Actions is used, pushed with
+`pytest bot <[email protected]>` commit author.
 """
 import argparse
 import json

scripts/report-coverage.sh

@@ -1,18 +1,30 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 set -x
 
-if [ -z "$TOXENV" ]; then
+# Install coverage.
+if [[ -z ${TOXENV+x} || -z $TOXENV ]]; then
   python -m pip install coverage
 else
   # Add last TOXENV to $PATH.
   PATH="$PWD/.tox/${TOXENV##*,}/bin:$PATH"
 fi
 
+# Run coverage.
 python -m coverage combine
 python -m coverage xml
 python -m coverage report -m
+
+# Download and verify latest Codecov bash uploader.
 # Set --connect-timeout to work around https://github.com/curl/curl/issues/4461
-curl -S -L --connect-timeout 5 --retry 6 -s https://codecov.io/bash -o codecov-upload.sh
-bash codecov-upload.sh -Z -X fix -f coverage.xml "$@"
+curl --silent --show-error --location --connect-timeout 5 --retry 6 -o codecov https://codecov.io/bash
+VERSION=$(grep --only-matching 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2)
+if command -v sha256sum; then
+    sha256sum --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+else
+    shasum --algorithm 256 --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+fi
+
+# Upload coverage.
+bash codecov -Z -X fix -f coverage.xml "$@"