From e7cb18b2668c90c04a8dc61abe3cfabb59418284 Mon Sep 17 00:00:00 2001 From: Naji Obeid Date: Fri, 3 Jan 2025 16:54:58 +0000 Subject: [PATCH 1/2] integrate zizmor in github actions --- .github/workflows/codeql-analysis.yml | 1 + .github/workflows/go.yml | 1 + .github/workflows/golangci-lint.yml | 2 ++ .github/workflows/modver.yml | 1 + .github/workflows/release.yml | 2 ++ .github/workflows/zizmor.yml | 36 +++++++++++++++++++++++++++ 6 files changed, 43 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a72b9c4..4631e5e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index e0a31c8..daacd88 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Get dependencies run: go get -v -t -d ./... diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 69a2afb..7c4592b 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: golangci-lint uses: golangci/golangci-lint-action@v6 with: diff --git a/.github/workflows/modver.yml b/.github/workflows/modver.yml index 20a1049..2cee3f4 100644 --- a/.github/workflows/modver.yml +++ b/.github/workflows/modver.yml @@ -15,6 +15,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: bobg/modver@v2.10.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5937895..292cdea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,11 +22,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go uses: actions/setup-go@v5 with: go-version: stable + cache: false - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..d915605 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From 5420b662b8ac952227c901e6952f993dd4ef5705 Mon Sep 17 00:00:00 2001 From: Naji Obeid Date: Wed, 8 Jan 2025 15:23:59 +0000 Subject: [PATCH 2/2] change zizmor output format to report warnings --- .github/workflows/zizmor.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index d915605..c09cf12 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,14 +23,10 @@ jobs: - name: Install the latest version of uv uses: astral-sh/setup-uv@v5 + with: + enable-cache: false - name: Run zizmor - run: uvx zizmor --format sarif . > results.sarif + run: uvx zizmor --format plain . env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - category: zizmor