Improve security of our GitHub Actions

[sobolevn]

Recently CPython introduced this new tool: https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67

Which finds different security related problems with GitHub Actions.

I added this tool to our .pre-commit-config.yaml and followed all its recommendations.

Changes:

• I added persist-credentials: false to all checkout actions, see # Whether to configure the token or SSH key with the local git config in https://github.com/actions/checkout
• I moved all permissions from workflow level to job level
• I changed .github/workflows/mypy_primer_comment.yml to be a reusable workflow, see https://woodruffw.github.io/zizmor/audits/#dangerous-triggers

[sobolevn]

CC @hugovk

[AlexWaygood]

Nice, this overall looks great! I'm not familiar with the workflow_call/workflow_run distinction, though, so I haven't looked closely at that. (It looks reasonable, though.)

Another change you might want to make is to list shellcheck as an additional_dependency of actionlint -- I made this change to Ruff's pre-commit config: https://github.com/astral-sh/ruff/blob/0837cdd9314cb9ee1df087142af975d492e3e7ba/.pre-commit-config.yaml#L103-L121. actionlint's shellcheck integration is very useful (it grabs the shell-script strings in GitHub Actions run: steps and passes them to shellcheck), but it's not enabled by default when actionlint is run as part of pre-commit, as actionlint's shellcheck integration only works if shellcheck is already installed.

[AlexWaygood]

isn't this the default?

Suggested change

contents: read

[sobolevn]

Turned out this is required: https://github.com/python/mypy/actions/runs/12597384030

[AlexWaygood]

Oh, TIL, sorry!!

[webknjaz]

@AlexWaygood whenever permissions: is declared, it does not augment the global definition but replaces it entirely, FYI.

[webknjaz]

Also, perhaps make it more obvious that it's not going to be triggered anymore:

Suggested change

	name: Comment with mypy_primer diff
	name: >-
	[Reusable, do not click]
	Comment with mypy_primer diff

[webknjaz]

@AlexWaygood after merging this, go to https://github.com/python/mypy/actions and disable this workflow. The inclusion from the other workflow will keep working, but it'll show up lower than the others in the sidebar, which is useful. I'm doing this in many places and got CPython to adopt the same technique which decluttered the sidebar a bit (also with pinning the most important workflows to force them to the top of that list).

[AlexWaygood]

I'm not a maintainer here, just a triager, so it's out of my power to do this :-) @sobolevn is a mypy maintainer, though

[sobolevn]

Interesting idea, however, we only have 7 workflows at the moment, so I don't think that we need to do that now.

[github-actions]

According to mypy_primer, this change doesn't affect type check results on a corpus of open source code. ✅

[cdce8p]

Will this workflow continue to work for pull requests from forks?

As I understand it, workflow_call is in the forked repo scope, thus I think pull-requests: write won't have access to the PR to leave a comment. Believe that's the reason workflow_run was used here in the first place as that's executed in the upstream repo scope.

Note: This PR is from an upstream branch, so it doesn't test what happens to PRs from forks.

[sobolevn]

I've created #18414 to test how forks work.

[sobolevn]

Looks like that this is true:

Diff from mypy_primer:

RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:9537:21
Error: Unhandled error: HttpError: Resource not accessible by integration
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async eval (eval at callAsyncFunction (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:35424:16), <anonymous>:36:1)
    at async main (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:35522:20) {
  status: 403,