Add zizmor github actions security analysis workflow #1813
Conversation
notmandatory
requested review from
ValuedMammal
and removed request for
ValuedMammal
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
notmandatory
changed the title
notmandatory
force-pushed
the
ci/zizmor
branch
from
42bcf95 to
95e53d0
Compare
|
Rebased on updated and merged #1778 ready to review and merge, zizmor finds no issues now. |
oleonardolima
left a comment
oleonardolima
left a comment
There was a problem hiding this comment.
Overall it looks good and it's a pretty good addition.
I left a minor comment and another one regarding my concerning on relying on another action for what it seems just python package management.
.github/workflows/zizmor.yml
Outdated
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
As this is a public repo, this could be removed ?
.github/workflows/zizmor.yml
Outdated
| - name: Install the latest version of uv | ||
| uses: astral-sh/setup-uv@v5 | ||
|
|
||
| - name: Run zizmor 🌈 | ||
| run: uvx zizmor --format sarif . > results.sarif | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
I like the idea of having a zizmor job, however, I'm wondering if there's another simpler/safer way to run it, instead of bringing this new action (setup-uv) AFAICT just for the python package manager 🤔
|
Took this out of the |
notmandatory
added
github_actions
|
Moved to |
|
Reopening since we need to audit CI actions for this repo too. |
|
Pushed changes to match bitcoindevkit/bdk_wallet#8. |
notmandatory
force-pushed
the
ci/zizmor
branch
3 times, most recently
from
0e048a1 to
2a2f04c
Compare
oleonardolima
left a comment
oleonardolima
left a comment
There was a problem hiding this comment.
utACK 2a2f04c
AFAICT the conflicts are only happening as [email protected] was bumped recently.
f6fd985 fix: deprecated method bitcoin::key::TweakedKeypair::to_inner, changed to to_keypair (Steve Myers) bb105a0 ci: add zizmor github actions security analysis workflow (Steve Myers) Pull request description: ### Description Added workflow to run zizmor github actions security analysis. See: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions ### Notes to the reviewers Original PR: bitcoindevkit/bdk#1813 I pinned zizmor to version 1.6.0. ### Changelog notice * ci: add zizmor github actions security analysis workflow and fix possible vulnerabilities ### Checklists #### All Submissions: * [x] I've signed all my commits * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) * [x] I ran `cargo fmt` and `cargo clippy` before committing Top commit has no ACKs. Tree-SHA512: 1476391c8ae702e19a78d4a271eb3ea17c52ff83928400d5f060c300eed652ec8f3d246371cf196c375bc18a6bd9025a468e6833d7232ebe933398b289fd2857
3 participants
Description
Added workflow to run zizmor github actions security analysis.
See: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
Notes to the reviewers
I built this PR on top of #1778.
I pinned zizmor to version 1.6.0.
Changelog notice
ci: add zizmor github actions security analysis workflow and fix possible vulnerabilities
Checklists
All Submissions:
cargo fmtandcargo clippybefore committing