django-render-static/.github/workflows/zizmor.yml at main · bckohan/django-render-static · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Zizmor

on:
  push:
    branches: [ main ]
  pull_request:
    paths:
      - ".github/workflows/**/*.yml"
  schedule:
    # Run weekly
    - cron: '0 0 * * 0'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  zizmor-analysis:
    name: Run Zizmor
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
        with:
          persist-credentials: false

      - name: Set up Rust
        uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6
      - name: Install jq
        run: |
          sudo apt-get update
          sudo apt-get install -y jq
      - name: Install Zizmor
        run: |
          cargo install --locked zizmor

      - name: Run Zizmor analysis
        run: |
          zizmor --format sarif .github/workflows/ > zizmor.sarif

      - name: Upload analysis results
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: zizmor-results
          path: zizmor.sarif
          retention-days: 7

      - name: Upload to code-scanning
        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463
        with:
          sarif_file: zizmor.sarif

      - name: Fail on Findings
        run: |
          count="$(
            jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
              zizmor.sarif
          )"
          echo "Zizmor findings: $count"
          test "$count" -eq 0