check our GH actions with a static analysis tool

[lexming]

GH actions can be dangerous if they are missconfigured. Recently Ultralytics was exploited through a PR abusing its GH actions. See https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection

Using a static analysis tool to check our actions for such weaknesses will reduce such risks.

The main actor in this field seems to be zizmor.

[ocaisa]

In EESSI we use https://github.com/ossf/scorecard (not that I am any kind of expert but it did help expose some security issues we had in our CI)

https://scorecard.dev/viewer/?uri=github.com/EESSI/software-layer