Use zizmor to lint GitHub Actions

Make use of `zizmor` to lint GitHub Actions workflows and catch potential security issues. Add `zizmor` to the `environment.yml` and to the `requirements-style.txt`. Add a new `check-actions` target in the `Makefile` that runs `zizmor` on every workflow. Add a new workflow for running `zizmor` on PRs and on pushes to `main`.
fatiando · Dec 10, 2024 · 509b758 · 509b758
1 parent 58278ca
commit 509b758
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 1 deletion.
diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
@@ -0,0 +1,35 @@
+# Lint GitHub Actions for common security issues using zizmor.
+# Docs: https://woodruffw.github.io/zizmor
+
+name: lint-actions
+
+# Only run on PRs and the main branch.
+# Pushes to branches will only trigger a run when a PR is opened.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install requirements
+        run: python -m pip install -r env/requirements-style.txt
+
+      - name: List installed packages
+        run: python -m pip freeze
+
+      - name: Lint GitHub Actions
+        run: make lint-actions
diff --git a/Makefile b/Makefile
@@ -4,6 +4,9 @@ TESTDIR=tmp-test-dir-with-unique-name
 PYTEST_ARGS=--cov-config=../.coveragerc --cov-report=term-missing --cov=$(PROJECT) --doctest-modules -v --pyargs
 NUMBATEST_ARGS=--doctest-modules -v --pyargs
 CHECK_STYLE=$(PROJECT) doc
+GITHUB_ACTIONS=.github/workflows
+
+.PHONY: build install test test_coverage test_numba format check check-format check_style check-actions clean
 
 help:
 	@echo "Commands:"
@@ -42,7 +45,7 @@ format:
 	black $(CHECK_STYLE)
 	burocrata --extension=py $(CHECK_STYLE)
 
-check: check-format check-style
+check: check-format check-style check-actions
 
 check-format:
 	isort --check $(CHECK_STYLE)
@@ -52,6 +55,9 @@ check-format:
 check-style:
 	flake8 $(CHECK_STYLE)
 
+check-actions:
+	zizmor $(GITHUB_ACTIONS)
+
 clean:
 	find . -name "*.pyc" -exec rm -v {} \;
 	find . -name "*.orig" -exec rm -v {} \;

diff --git a/env/requirements-style.txt b/env/requirements-style.txt
@@ -11,3 +11,4 @@ flake8-simplify
 flake8-unused-arguments
 pep8-naming
 burocrata
+zizmor
diff --git a/environment.yml b/environment.yml
@@ -38,3 +38,4 @@ dependencies:
   - pep8-naming
   - pip:
     - burocrata
+    - zizmor
-Original file line number
+Diff line change
@@ Expand Up / @@ -38,3 +38,4 @@ dependencies: @@
       - pep8-naming
       - pip:
         - burocrata
+        - zizmor