diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..5d33e005 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,41 @@ +# Static analysis of the GitHub Actions workflows with zizmor. +# https://github.com/zizmorcore/zizmor +name: GitHub Actions security (zizmor) + +on: + push: + branches: [master] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # upload-sarif needs this to publish results + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 + + - name: Run zizmor + # Report only for now. The existing workflows still have findings to work + # through, so this uploads results to the Security tab instead of failing + # the build. Flip to a hard gate once they're cleared. No token is passed, + # so zizmor runs offline (skips the online-only audits) and avoids the API + # rate limits its docs warn about. + continue-on-error: true + run: uvx zizmor@1.25.2 --format=sarif . > results.sarif + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + with: + sarif_file: results.sarif + category: zizmor