Skip to content

feat: wire amplitude v2 autocapture toggles #262

feat: wire amplitude v2 autocapture toggles

feat: wire amplitude v2 autocapture toggles #262

name: zizmor
on:
pull_request:
push:
permissions:
contents: read
security-events: write
actions: read
jobs:
scan:
# Gate push events to the target repo's default branch only.
# `on.push.branches` can't reference repository context, so we filter
# here with `github.event.repository.default_branch` to stay correct
# across repos that use `main`, `master`, or anything else.
if: >-
github.actor != 'dependabot[bot]' &&
(github.event_name != 'push' ||
github.ref == format('refs/heads/{0}', github.event.repository.default_branch))
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout target repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# Intentionally fails loudly when the org-level variable/secret is
# missing (e.g. fork PRs, where GitHub withholds secrets from workflows
# triggered from forks). A red check on the required workflow is the
# desired signal: it forces a human to either mark the PR trusted or
# investigate why the scanner credentials are unavailable. Do NOT add
# an `if:` guard here to silently skip — loud failure is the contract.
- name: Mint scanner token (org-wide read access for action ref resolution)
id: app-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
with:
app-id: ${{ vars.ZIZMOR_SCANNER_APP_ID }}
private-key: ${{ secrets.ZIZMOR_SCANNER_PRIVATE_KEY }}
owner: rudderlabs # zizmor: ignore[github-app] org-wide read-only scanner token (contents+metadata: read); breadth is intentional for action-ref resolution, write exposure is nil
permission-contents: read
permission-metadata: read
# Inject the shared zizmor config from this repo into the target repo's
# run context. Required because zizmor only auto-discovers config from
# the checked-out working tree, and injected runs check out the target
# repo's tree, not shared-workflows. Without this step, any config-level
# rule overrides we ship here (e.g. the `secrets-outside-env` ignore for
# the zizmor workflow itself) would never apply to injected runs.
- name: Checkout shared zizmor config
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: rudderlabs/shared-workflows
# For self-scans (PRs against shared-workflows itself), test the
# PR's proposed config — otherwise a PR that breaks .github/zizmor.yml
# would be validated against main's config and merge green. For
# injected runs in other repos, pin to main for stability.
ref: ${{ github.repository == 'rudderlabs/shared-workflows' && github.event.pull_request.head.sha || 'main' }}
token: ${{ steps.app-token.outputs.token }}
path: .zizmor-shared
persist-credentials: false
sparse-checkout: |
.github/zizmor.yml
sparse-checkout-cone-mode: false
# Exit codes: 0 = clean, 1 = findings, 3 = no inputs, other = error.
# SARIF is uploaded only when valid (see next step).
- name: Run zizmor
id: zizmor
run: |
sarif="${RUNNER_TEMP}/zizmor.sarif"
docker run --rm \
--volume "${GITHUB_WORKSPACE}:/workspace:ro" \
--workdir "/workspace" \
--env "GH_TOKEN=${SCANNER_TOKEN}" \
"ghcr.io/zizmorcore/zizmor:1.26.1@sha256:d1117e5dbd9ee4970644067b534ab6ab50371f3c6f7f4d05446eb603a6e78f48" \
--format=sarif \
--persona=regular \
--min-severity=medium \
--config=.zizmor-shared/.github/zizmor.yml \
-- . | tee "${sarif}" || true
exitcode="${PIPESTATUS[0]}"
if [[ -s "${sarif}" ]] && jq empty "${sarif}" 2>/dev/null; then
echo "sarif-valid=true" >> "${GITHUB_OUTPUT}"
else
echo "sarif-valid=false" >> "${GITHUB_OUTPUT}"
fi
case "${exitcode}" in
0|1) ;; # clean or findings — both OK
3) echo "::warning::No auditable inputs in this repository" ;;
*) echo "::error::zizmor failed with exit code ${exitcode}"; exit "${exitcode}" ;;
esac
env:
SCANNER_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Upload SARIF
if: steps.zizmor.outputs.sarif-valid == 'true'
uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
with:
sarif_file: ${{ runner.temp }}/zizmor.sarif
category: zizmor
checkout_path: ${{ github.workspace }}