From a85cd9317f68c7c32969cdeb101f71e1b4612c93 Mon Sep 17 00:00:00 2001 From: Zsolt Dollenstein Date: Mon, 16 Dec 2024 09:43:24 +0000 Subject: [PATCH] ci: audit workflows with zizmor https://woodruffw.github.io/zizmor/ --- .github/workflows/build.yml | 1 + .github/workflows/ci.yml | 8 +++++++ .github/workflows/pypi_upload.yml | 1 + .github/workflows/zizmor.yml | 35 +++++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 886947d0..b14b4210 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,6 +27,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8ff9207..ab290f54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip @@ -50,6 +51,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip @@ -67,6 +69,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip @@ -83,6 +86,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@v5 with: cache: pip @@ -108,6 +112,8 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable with: components: rustfmt, clippy @@ -141,6 +147,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable with: components: rustfmt diff --git a/.github/workflows/pypi_upload.yml b/.github/workflows/pypi_upload.yml index ee9990cb..f03151f7 100644 --- a/.github/workflows/pypi_upload.yml +++ b/.github/workflows/pypi_upload.yml @@ -22,6 +22,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + persist-credentials: false - name: Download binary wheels id: download uses: actions/download-artifact@v4 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..dad6232f --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file