diff --git a/.github/workflows/github_actions_scan.yml b/.github/workflows/github_actions_scan.yml index 4c6b45c..903781d 100644 --- a/.github/workflows/github_actions_scan.yml +++ b/.github/workflows/github_actions_scan.yml @@ -22,7 +22,7 @@ jobs: check-changes: runs-on: 'ubuntu-latest' outputs: - changed: '${{ steps.check.outputs.changed }}' + files: '${{ steps.check.outputs.files }}' permissions: contents: 'read' steps: @@ -39,11 +39,8 @@ jobs: GIT_HEAD_SHA: '${{ github.event.pull_request.head.sha }}' GIT_BASE_SHA: '${{ github.event.pull_request.base.sha }}' run: | - changed="false" - if git diff --name-only "${GIT_BASE_SHA}" "${GIT_HEAD_SHA}" | grep -E '^\.github/workflows/.+\.ya?ml$' > /dev/null; then - changed="true" - fi - echo "changed=$changed" >> "$GITHUB_OUTPUT" + files=$(git diff --name-only "${GIT_BASE_SHA}" "${GIT_HEAD_SHA}" | grep -E '^\.github/workflows/.+\.ya?ml$' | xargs || true) + echo "files=$files" >> "$GITHUB_OUTPUT" zizmor-scan: needs: ['check-changes'] @@ -51,7 +48,7 @@ jobs: if: >- inputs.wif_provider != '' || ( - needs.check-changes.outputs.changed == 'true' && + needs.check-changes.outputs.files != '' && github.event_name == 'pull_request_target' && !startsWith(github.workflow_ref, format('{0}/', github.repository)) ) @@ -70,6 +67,7 @@ jobs: shell: 'bash' env: GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + CHANGED_FILES: '${{ needs.check-changes.outputs.files }}' run: >- docker run --rm @@ -79,7 +77,7 @@ jobs: "ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}" --format sarif -- - .github/workflows + ${CHANGED_FILES} > zizmor.sarif.json - name: 'Enrich SARIF with GitHub metadata' shell: 'bash' @@ -170,6 +168,7 @@ jobs: shell: 'bash' env: GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + CHANGED_FILES: '${{ needs.check-changes.outputs.files }}' run: >- docker run --rm @@ -179,4 +178,4 @@ jobs: "ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}" --format github -- - .github/workflows + ${CHANGED_FILES}