From 4a968aafc5b81d3a095ff40310400426e8a3b117 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 4 Apr 2025 15:04:29 +0200 Subject: [PATCH] octoguard: move zizmor job within octoguard one Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/octoguard.yml | 68 ++++++++++++++++++++++++-- .github/workflows/zizmor.yml | 84 --------------------------------- 2 files changed, 65 insertions(+), 87 deletions(-) delete mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/octoguard.yml b/.github/workflows/octoguard.yml index bae10e9..003e2a3 100644 --- a/.github/workflows/octoguard.yml +++ b/.github/workflows/octoguard.yml @@ -12,12 +12,74 @@ permissions: contents: read actions: read +env: + ZIZMOR_VERSION: 1.5.2 + jobs: zizmor: - uses: ./.github/workflows/zizmor.yml + runs-on: ubuntu-24.04 permissions: contents: read actions: read security-events: write - with: - zizmor_version: 1.5.2 + steps: + - + name: Checkout + uses: actions/checkout@v4 # zizmor: ignore[artipacked] fine to ignore official actions + with: + persist-credentials: false + - + name: Checks + uses: actions/github-script@v7 # zizmor: ignore[artipacked] fine to ignore official actions + with: + script: | + const fs = require('fs'); + + const workflows = fs.readdirSync('.github/workflows').filter(file => file.endsWith('.yml') || file.endsWith('.yaml')); + if (workflows.length > 0) { + core.info(`${workflows.length} workflows found in this repository.`); + core.exportVariable('HAS_WORKFLOWS', 'true'); + } else { + core.warning("No workflows found, skipping zizmor scan."); + return; + } + + try { + await github.request('GET /repos/{owner}/{repo}/code-scanning/alerts', { + ...context.repo, + }).catch(err => { + if (err.status === 403) { + throw new Error('Advanced Security needs to be enabled on this repository.'); + } + }); + core.info('Advanced Security is enabled on this repository.'); + } catch (err) { + core.setFailed(err.message); + } + - + name: Setup uv + if: ${{ env.HAS_WORKFLOWS }} + uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1 + with: + enable-cache: false + - + name: Install zizmor + if: ${{ env.HAS_WORKFLOWS }} + run: | + set -ex + uv tool install zizmor@${ZIZMOR_VERSION} + - + name: Run zizmor + if: ${{ env.HAS_WORKFLOWS }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -ex + zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > /tmp/zizmor.sarif + - + name: Upload SARIF report + if: ${{ env.HAS_WORKFLOWS }} + uses: github/codeql-action/upload-sarif@v3 # zizmor: ignore[artipacked] fine to ignore official actions + with: + sarif_file: /tmp/zizmor.sarif + category: zizmor diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml deleted file mode 100644 index a155227..0000000 --- a/.github/workflows/zizmor.yml +++ /dev/null @@ -1,84 +0,0 @@ -name: zizmor - -on: - workflow_call: - inputs: - zizmor_version: - required: false - type: string - default: 'latest' - -permissions: - contents: read - actions: read - -jobs: - zizmor: - runs-on: ubuntu-24.04 - permissions: - contents: read - actions: read - security-events: write - steps: - - - name: Checkout - uses: actions/checkout@v4 # zizmor: ignore[artipacked] fine to ignore official actions - with: - persist-credentials: false - - - name: Checks - uses: actions/github-script@v7 # zizmor: ignore[artipacked] fine to ignore official actions - with: - script: | - const fs = require('fs'); - - const workflows = fs.readdirSync('.github/workflows').filter(file => file.endsWith('.yml') || file.endsWith('.yaml')); - if (workflows.length > 0) { - core.info(`${workflows.length} workflows found in this repository.`); - core.exportVariable('HAS_WORKFLOWS', 'true'); - } else { - core.warning("No workflows found, skipping zizmor scan."); - return; - } - - try { - await github.request('GET /repos/{owner}/{repo}/code-scanning/alerts', { - ...context.repo, - }).catch(err => { - if (err.status === 403) { - throw new Error('Advanced Security needs to be enabled on this repository.'); - } - }); - core.info('Advanced Security is enabled on this repository.'); - } catch (err) { - core.setFailed(err.message); - } - - - name: Setup uv - if: ${{ env.HAS_WORKFLOWS }} - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1 - with: - enable-cache: false - - - name: Install zizmor - if: ${{ env.HAS_WORKFLOWS }} - env: - ZIZMOR_VERSION: ${{ inputs.zizmor_version }} - run: | - set -ex - uv tool install zizmor@${ZIZMOR_VERSION} - - - name: Run zizmor - if: ${{ env.HAS_WORKFLOWS }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -ex - zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > /tmp/zizmor.sarif - - - name: Upload SARIF report - if: ${{ env.HAS_WORKFLOWS }} - uses: github/codeql-action/upload-sarif@v3 # zizmor: ignore[artipacked] fine to ignore official actions - with: - sarif_file: /tmp/zizmor.sarif - category: zizmor