Skip to content
Check actions

chore(deps): update github/codeql-action action to v4.35.4 #241

Sign in to view logs

chore(deps): update github/codeql-action action to v4.35.4

chore(deps): update github/codeql-action action to v4.35.4 #241

Workflow file for this run

.github/workflows/check-actions.yaml at 093c324
name: Check actions
on:
push:
pull_request:
branches:
- main
types:
- reopened
schedule:
- cron: "21 19 13 * *"
permissions: {}
jobs:
debug:
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Dump job context
env:
JOB_CONTEXT: ${{ toJSON(job) }}
run: echo "$JOB_CONTEXT"
- name: Dump steps context
env:
STEPS_CONTEXT: ${{ toJSON(steps) }}
run: echo "$STEPS_CONTEXT"
- name: Dump runner context
env:
RUNNER_CONTEXT: ${{ toJSON(runner) }}
run: echo "$RUNNER_CONTEXT"
- name: Dump strategy context
env:
STRATEGY_CONTEXT: ${{ toJSON(strategy) }}
run: echo "$STRATEGY_CONTEXT"
- name: Dump matrix context
env:
MATRIX_CONTEXT: ${{ toJSON(matrix) }}
run: echo "$MATRIX_CONTEXT"
- name: Dump environment variables
run: set
actionlint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: run actionlint
run: |
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint
zizmor:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Run zizmor 🌈
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
uvx zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
with:
category: zizmor
sarif_file: results.sarif
required-status-check:
name: check-actions.required-status-check
needs:
- actionlint
- zizmor
# GitHub Actions skips this job when any of the dependents fail. And skips
# are considered success in their weird logic. So we always run it and fail
# ourselves if necessary
if: always()
runs-on: ubuntu-latest
steps:
- run: echo "Use this job as the required status check of this workflow"
- name: Check that all jobs were successful
env:
RESULTS: ${{ toJSON(needs) }}
run: |
echo "$RESULTS" | jq --exit-status 'all(.result == "success")' || exit 1