Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Static analysis of the GitHub Actions workflows with zizmor.
# https://github.com/zizmorcore/zizmor
name: GitHub Actions security (zizmor)

on:
push:
branches: [master]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
security-events: write # upload-sarif needs this to publish results
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0

- name: Run zizmor
# Report only for now. The existing workflows still have findings to work
# through, so this uploads results to the Security tab instead of failing
# the build. Flip to a hard gate once they're cleared. No token is passed,
# so zizmor runs offline (skips the online-only audits) and avoids the API
# rate limits its docs warn about.
continue-on-error: true
run: uvx zizmor@1.25.2 --format=sarif . > results.sarif

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: results.sarif
category: zizmor
Loading