ci: add zizmor static analysis for the workflows #2
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Static analysis of the GitHub Actions workflows with zizmor. | |
| # https://github.com/zizmorcore/zizmor | |
| name: GitHub Actions security (zizmor) | |
| on: | |
| push: | |
| branches: [master] | |
| pull_request: | |
| branches: ["**"] | |
| permissions: {} | |
| jobs: | |
| zizmor: | |
| name: zizmor | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # upload-sarif needs this to publish results | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 | |
| - name: Run zizmor | |
| # Report only for now. The existing workflows still have findings to work | |
| # through, so this uploads results to the Security tab instead of failing | |
| # the build. Flip to a hard gate once they're cleared. No token is passed, | |
| # so zizmor runs offline (skips the online-only audits) and avoids the API | |
| # rate limits its docs warn about. | |
| continue-on-error: true | |
| run: uvx zizmor@1.25.2 --format=sarif . > results.sarif | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: results.sarif | |
| category: zizmor |