Skip to content

Update docker/build-push-action digest to 53b7df9 #963

Update docker/build-push-action digest to 53b7df9

Update docker/build-push-action digest to 53b7df9 #963

Workflow file for this run

name: zizmor (workflow static analysis)
# zizmor performs static analysis on GitHub Actions workflows to surface
# supply-chain and configuration risks (unpinned actions, command injection
# vectors, excessive permissions, etc.). Findings are surfaced to GitHub
# Code Scanning as SARIF.
#
# Ref: #1273
on:
push:
branches: [main]
pull_request:
paths:
- ".github/workflows/**"
- ".github/actions/**"
schedule:
- cron: "55 4 * * 0" # Weekly, Sunday 04:55 UTC
workflow_dispatch:
concurrency:
group: zizmor-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
zizmor:
name: zizmor static analysis
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
with:
# Upload SARIF to Code Scanning even on findings; CI does not fail
# the build on findings, GH Security tab is the source of truth.
advanced-security: true
# The default repository token can be rejected by external action
# tag lookups. Keep this required workflow on offline audits.
online-audits: false