From 44f593ae84e411280cf7568e33a9e77afe6c631b Mon Sep 17 00:00:00 2001 From: Steve Myers Date: Mon, 27 Jan 2025 20:19:30 -0600 Subject: [PATCH 1/2] ci: add zizmor github actions security analysis workflow --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..b2e23f7e8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["master"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file From 95e53d051e60541d594d0ce5b49e7e34835d2b14 Mon Sep 17 00:00:00 2001 From: Steve Myers Date: Mon, 27 Jan 2025 20:34:52 -0600 Subject: [PATCH 2/2] fix(ci): remove overly broad workflow permissions --- .github/workflows/code_coverage.yml | 2 ++ .github/workflows/cont_integration.yml | 2 ++ .github/workflows/cron-update-rust.yml | 3 +++ .github/workflows/nightly_docs.yml | 2 ++ 4 files changed, 9 insertions(+) diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index 8e1491adc..db1b7d36f 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -2,6 +2,8 @@ on: [push, pull_request] name: Code Coverage +permissions: {} + jobs: Codecov: name: Code Coverage diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml index f13bca2fe..ff4a51593 100644 --- a/.github/workflows/cont_integration.yml +++ b/.github/workflows/cont_integration.yml @@ -2,6 +2,8 @@ on: [push, pull_request] name: CI +permissions: {} + jobs: prepare: diff --git a/.github/workflows/cron-update-rust.yml b/.github/workflows/cron-update-rust.yml index 2fc212ebd..1264203d5 100644 --- a/.github/workflows/cron-update-rust.yml +++ b/.github/workflows/cron-update-rust.yml @@ -1,4 +1,7 @@ name: Update rust version + +permissions: {} + on: schedule: - cron: "0 0 15 * *" # At 00:00 on day-of-month 15. diff --git a/.github/workflows/nightly_docs.yml b/.github/workflows/nightly_docs.yml index 80e3fc787..a66881319 100644 --- a/.github/workflows/nightly_docs.yml +++ b/.github/workflows/nightly_docs.yml @@ -1,5 +1,7 @@ name: Publish Nightly Docs +permissions: {} + on: [push, pull_request] jobs: