Skip to content

Add gitleaks secret scanning (CI) (#527) #39

Add gitleaks secret scanning (CI) (#527)

Add gitleaks secret scanning (CI) (#527) #39

Workflow file for this run

name: zizmor
# Static security analysis of the GitHub Actions workflows themselves
# (template injection, excessive permissions, credential persistence, unpinned
# actions, Dependabot cooldown, ...). Complements actionlint (correctness) and
# CodeQL (code). Configuration, including the exclusion of the ODK-generated
# qc.yml, lives in .github/zizmor.yml.
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
jobs:
zizmor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Install uv
run: |
curl -LsSf https://astral.sh/uv/install.sh | sh
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
- name: Run zizmor
env:
GH_TOKEN: ${{ github.token }}
run: uvx zizmor@1.25.2 .github/