docker · temenuzhka-thede · Apr 4, 2025 · Apr 4, 2025
@@ -12,12 +12,74 @@ permissions:
   contents: read
   actions: read
 
+env:
+  ZIZMOR_VERSION: 1.5.2
+
 jobs:
   zizmor:
-    uses: ./.github/workflows/zizmor.yml
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       actions: read
       security-events: write
-    with:
-      zizmor_version: 1.5.2
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4 # zizmor: ignore[artipacked] fine to ignore official actions
+        with:
+          persist-credentials: false
+      -
+        name: Checks
+        uses: actions/github-script@v7 # zizmor: ignore[artipacked] fine to ignore official actions
+        with:
+          script: |
+            const fs = require('fs');
+
+            const workflows = fs.readdirSync('.github/workflows').filter(file => file.endsWith('.yml') || file.endsWith('.yaml'));
+            if (workflows.length > 0) {
+              core.info(`${workflows.length} workflows found in this repository.`);
+              core.exportVariable('HAS_WORKFLOWS', 'true');
+            } else {
+              core.warning("No workflows found, skipping zizmor scan.");
+              return;
+            }
+
+            try {
+              await github.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
+                ...context.repo,
+              }).catch(err => {
+                if (err.status === 403) {
+                  throw new Error('Advanced Security needs to be enabled on this repository.');
+                }
+              });
+              core.info('Advanced Security is enabled on this repository.');
+            } catch (err) {
+              core.setFailed(err.message);
+            }
+      -
+        name: Setup uv
+        if: ${{ env.HAS_WORKFLOWS }}
+        uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
+        with:
+          enable-cache: false
+      -
+        name: Install zizmor
+        if: ${{ env.HAS_WORKFLOWS }}
+        run: |
+          set -ex
+          uv tool install zizmor@${ZIZMOR_VERSION}
+      -
+        name: Run zizmor
+        if: ${{ env.HAS_WORKFLOWS }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -ex
+          zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > /tmp/zizmor.sarif
+      -
+        name: Upload SARIF report
+        if: ${{ env.HAS_WORKFLOWS }}
+        uses: github/codeql-action/upload-sarif@v3 # zizmor: ignore[artipacked] fine to ignore official actions
+        with:
+          sarif_file: /tmp/zizmor.sarif
+          category: zizmor