From efede9a5a2fd9c67a5afe58cc55d7663142ee43d Mon Sep 17 00:00:00 2001 From: Jens <1742418+1cu@users.noreply.github.com> Date: Thu, 11 Dec 2025 21:24:24 +0100 Subject: [PATCH] ci: Fix CodeQL security warnings (#720) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## ℹī¸ Description This PR resolves all open CodeQL security warnings by implementing recommended security best practices for GitHub Actions workflows and addressing code analysis findings. **Related**: Resolves CodeQL alerts 37-53 **Motivation**: CodeQL identified 17 security warnings across our workflows and Python code. These warnings highlight potential supply chain security risks (unpinned actions), missing security boundaries (workflow permissions), and false positives that needed proper documentation. ## 📋 Changes Summary ### Security Hardening - **Pinned all GitHub Actions to commit SHAs** (26 action references across 5 workflows) - Added version comments for maintainability (e.g., `@8e8c483... # v6.0.0`) - Dependabot will now auto-update these pinned SHAs securely ### Workflow Permissions - Added explicit `permissions` block to `update-python-deps.yml` workflow - Added explicit `permissions: contents: read` to `publish-coverage` job in `build.yml` - Follows principle of least privilege ### Dependabot Configuration - Enhanced `.github/dependabot.yml` with action update grouping (single PR instead of multiple) - Added `rebase-strategy: auto` for automatic conflict resolution ### Code Quality - Added CodeQL suppression with detailed explanation in `src/kleinanzeigen_bot/utils/reflect.py` - Documented why explicit `del stack` is necessary for frame cleanup (prevents false positive) ### ⚙ī¸ Type of Change - [x] 🐞 Bug fix (non-breaking change which fixes an issue) - [ ] ✨ New feature (adds new functionality without breaking existing usage) - [ ] đŸ’Ĩ Breaking change (changes that might break existing user setups, scripts, or configurations) ## ✅ Checklist - [x] I have reviewed my changes to ensure they meet the project's standards. - [x] I have tested my changes and ensured that all tests pass (`pdm run test`). - [x] I have formatted the code (`pdm run format`). - [x] I have verified that linting passes (`pdm run lint`). - [x] I have updated documentation where necessary. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. ## Summary by CodeRabbit * **Chores** * CI workflows: pinned external actions to specific commits for reproducible runs and added explicit permission scopes where required. * Dependabot: grouped GitHub Actions updates into a single consolidated group for unified updates and auto-rebasing. * **Documentation** * Expanded internal comments clarifying cleanup logic to reduce potential reference-cycle concerns. ✏ī¸ Tip: You can customize this high-level summary in your review settings. --- .github/dependabot.yml | 3 ++ .github/workflows/build.yml | 40 +++++++++++++++--------- .github/workflows/codeql-analysis.yml | 11 ++++--- .github/workflows/publish-release.yml | 6 ++-- .github/workflows/update-python-deps.yml | 15 ++++++--- .github/workflows/validate-pr-title.yml | 6 ++-- src/kleinanzeigen_bot/utils/reflect.py | 7 ++++- 7 files changed, 60 insertions(+), 28 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b1e8b0a..89f890c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,3 +15,6 @@ updates: - dependencies - gha - pinned + groups: + all-actions: + patterns: ["*"] diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8727635..7580c45 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -104,11 +104,12 @@ jobs: - name: Configure Fast APT Mirror - uses: vegardit/fast-apt-mirror.sh@v1 + uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1 - name: Git Checkout - uses: actions/checkout@v6 # https://github.com/actions/checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0 + # https://github.com/actions/checkout - name: "Install: Chromium Browser" @@ -122,7 +123,7 @@ jobs: - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - uses: pdm-project/setup-pdm@v4 + uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4 with: python-version: "${{ matrix.PYTHON_VERSION }}" cache: ${{ !startsWith(matrix.os, 'macos') }} # https://github.com/pdm-project/setup-pdm/issues/55 @@ -246,7 +247,7 @@ jobs: - name: Upload self-contained executable - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: (github.ref_name == 'main' || github.ref_name == 'release') && matrix.PUBLISH_RELEASE && !env.ACT with: name: artifacts-${{ matrix.os }} @@ -276,7 +277,7 @@ jobs: - name: Collect coverage reports - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !env.ACT with: name: coverage-${{ matrix.os }}-py${{ matrix.PYTHON_VERSION }} @@ -293,13 +294,17 @@ jobs: timeout-minutes: 5 if: (github.ref_name == 'main' || github.event_name == 'pull_request') && !github.event.act + permissions: + contents: read + steps: - name: Git Checkout # required to avoid https://docs.codecov.com/docs/error-reference#unusable-reports - uses: actions/checkout@v6 # https://github.com/actions/checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0 + # https://github.com/actions/checkout - name: Download coverage reports - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: pattern: coverage-* path: coverage @@ -310,7 +315,8 @@ jobs: - name: Publish unit-test coverage - uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0 + # https://github.com/codecov/codecov-action with: slug: ${{ github.repository }} name: unit-coverage @@ -322,7 +328,8 @@ jobs: - name: Publish integration-test coverage - uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0 + # https://github.com/codecov/codecov-action with: slug: ${{ github.repository }} name: integration-coverage @@ -334,7 +341,8 @@ jobs: - name: Publish smoke-test coverage - uses: codecov/codecov-action@v5 # https://github.com/codecov/codecov-action + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.0.0 + # https://github.com/codecov/codecov-action with: slug: ${{ github.repository }} name: smoke-coverage @@ -379,17 +387,18 @@ jobs: - name: Configure Fast APT Mirror - uses: vegardit/fast-apt-mirror.sh@v1 + uses: vegardit/fast-apt-mirror.sh@e5288ed7a13da650050035a7d47c2aa17779bbb3 # v1.4.1 - name: Git Checkout # only required by "gh release create" to prevent "fatal: Not a git repository" - uses: actions/checkout@v6 # https://github.com/actions/checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0 + # https://github.com/actions/checkout - name: Delete untagged docker image continue-on-error: true - uses: actions/delete-package-versions@v5 + uses: actions/delete-package-versions@25ad4af5be03aef10e0b3376b248688b7a44c40b # v5.0.0 with: token: ${{ github.token }} delete-only-untagged-versions: true @@ -398,7 +407,7 @@ jobs: - name: Download build artifacts - uses: actions/download-artifact@v6 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - name: Rename build artifacts @@ -482,7 +491,8 @@ jobs: - name: "Delete intermediate build artifacts" - uses: geekyeggo/delete-artifact@v5 # https://github.com/GeekyEggo/delete-artifact/ + uses: geekyeggo/delete-artifact@b54d29a59e55046d1f7fc8226cdda507e6b9cf62 # v5.0.0 + # https://github.com/GeekyEggo/delete-artifact/ with: name: "*" failOnError: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7258871..9fbbc70 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -67,11 +67,12 @@ jobs: - name: Git Checkout - uses: actions/checkout@v6 # https://github.com/actions/checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0 + # https://github.com/actions/checkout - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - uses: pdm-project/setup-pdm@v4 + uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4 with: python-version: "${{ env.PYTHON_VERSION }}" cache: true @@ -91,7 +92,8 @@ jobs: - name: Initialize CodeQL - uses: github/codeql-action/init@v4 # https://github.com/github/codeql-action/blob/main/init/action.yml + uses: github/codeql-action/init@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0 + # https://github.com/github/codeql-action/blob/main/init/action.yml with: languages: actions,python # https://github.com/github/codeql-action#build-modes @@ -100,4 +102,5 @@ jobs: queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 # https://github.com/github/codeql-action + uses: github/codeql-action/analyze@36a9c375704a9813bd709881c97694bcd24e1cb1 # v4.0.0 + # https://github.com/github/codeql-action diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 13afe67..677d6f5 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -38,7 +38,8 @@ jobs: - name: Generate GitHub Access Token - uses: tibdex/github-app-token@v2 # https://github.com/tibdex/github-app-token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # https://github.com/tibdex/github-app-token id: generate_token # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens with: @@ -48,7 +49,8 @@ jobs: - name: Git Checkout - uses: actions/checkout@v5 # https://github.com/actions/checkout + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.0 + # https://github.com/actions/checkout with: token: ${{ steps.generate_token.outputs.token }} ref: main diff --git a/.github/workflows/update-python-deps.yml b/.github/workflows/update-python-deps.yml index 94f7f24..bd6df91 100644 --- a/.github/workflows/update-python-deps.yml +++ b/.github/workflows/update-python-deps.yml @@ -19,6 +19,10 @@ defaults: env: PYTHON_VERSION: "3.10" +permissions: + contents: write + pull-requests: write + jobs: ########################################################### @@ -39,7 +43,8 @@ jobs: - name: Generate GitHub Access Token - uses: tibdex/github-app-token@v2 # https://github.com/tibdex/github-app-token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # https://github.com/tibdex/github-app-token id: generate_token # see https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens with: @@ -49,13 +54,14 @@ jobs: - name: Git Checkout - uses: actions/checkout@v6 # https://github.com/actions/checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0 + # https://github.com/actions/checkout with: token: ${{ steps.generate_token.outputs.token }} - name: "Install: Python and PDM" # https://github.com/pdm-project/setup-pdm - uses: pdm-project/setup-pdm@v4 + uses: pdm-project/setup-pdm@9e87bfc944c539be61c7653113bdb80ea5fe09d6 # v4.4 with: python-version: "${{ env.PYTHON_VERSION }}" cache: true @@ -101,7 +107,8 @@ jobs: - name: Create PR - uses: peter-evans/create-pull-request@v7 # https://github.com/peter-evans/create-pull-request + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.5 + # https://github.com/peter-evans/create-pull-request if: "${{ steps.update_deps.outputs.updates != '' }}" with: title: "chore: ${{ steps.update_deps.outputs.title }}" diff --git a/.github/workflows/validate-pr-title.yml b/.github/workflows/validate-pr-title.yml index b9bf5d9..6111529 100644 --- a/.github/workflows/validate-pr-title.yml +++ b/.github/workflows/validate-pr-title.yml @@ -17,7 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - name: "Validate semantic PR title" - uses: amannn/action-semantic-pull-request@v6 # https://github.com/amannn/action-semantic-pull-request + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.0.0 + # https://github.com/amannn/action-semantic-pull-request env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -42,6 +43,7 @@ jobs: requireScope: false - name: "Label PR" - uses: srvaroa/labeler@v1.13.0 # https://github.com/srvaroa/labeler + uses: srvaroa/labeler@0a20eccb8c94a1ee0bed5f16859aece1c45c3e55 # v1.13.0 + # https://github.com/srvaroa/labeler env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/src/kleinanzeigen_bot/utils/reflect.py b/src/kleinanzeigen_bot/utils/reflect.py index fa9aa78..f0b82fc 100644 --- a/src/kleinanzeigen_bot/utils/reflect.py +++ b/src/kleinanzeigen_bot/utils/reflect.py @@ -13,7 +13,12 @@ def get_caller(depth:int = 1) -> inspect.FrameInfo | None: return frame return None finally: - del stack # Clean up the stack to avoid reference cycles + # Explicitly delete stack frames to prevent reference cycles and potential memory leaks. + # inspect.stack() returns FrameInfo objects that contain references to frame objects, + # which can create circular references. While Python's GC handles this, explicit cleanup + # is recommended per Python docs: https://docs.python.org/3/library/inspect.html#the-interpreter-stack + # codeql[py/unnecessary-delete] + del stack def is_integer(obj:Any) -> bool: