From 509b7582b2b1ede9a581344b77e5568875e5fd30 Mon Sep 17 00:00:00 2001
From: Santiago Soler <santisoler@fastmail.com>
Date: Tue, 10 Dec 2024 11:08:49 -0800
Subject: [PATCH] Use zizmor to lint GitHub Actions

Make use of `zizmor` to lint GitHub Actions workflows and catch
potential security issues. Add `zizmor` to the `environment.yml` and to
the `requirements-style.txt`. Add a new `check-actions` target in the
`Makefile` that runs `zizmor` on every workflow. Add a new workflow for
running `zizmor` on PRs and on pushes to `main`.
---
 .github/workflows/actions.yml | 35 +++++++++++++++++++++++++++++++++++
 Makefile                      |  8 +++++++-
 env/requirements-style.txt    |  1 +
 environment.yml               |  1 +
 4 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/actions.yml

diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
new file mode 100644
index 00000000..4cae01e5
--- /dev/null
+++ b/.github/workflows/actions.yml
@@ -0,0 +1,35 @@
+# Lint GitHub Actions for common security issues using zizmor.
+# Docs: https://woodruffw.github.io/zizmor
+
+name: lint-actions
+
+# Only run on PRs and the main branch.
+# Pushes to branches will only trigger a run when a PR is opened.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install requirements
+        run: python -m pip install -r env/requirements-style.txt
+
+      - name: List installed packages
+        run: python -m pip freeze
+
+      - name: Lint GitHub Actions
+        run: make lint-actions
diff --git a/Makefile b/Makefile
index b481a61e..efa5cca9 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,9 @@ TESTDIR=tmp-test-dir-with-unique-name
 PYTEST_ARGS=--cov-config=../.coveragerc --cov-report=term-missing --cov=$(PROJECT) --doctest-modules -v --pyargs
 NUMBATEST_ARGS=--doctest-modules -v --pyargs
 CHECK_STYLE=$(PROJECT) doc
+GITHUB_ACTIONS=.github/workflows
+
+.PHONY: build install test test_coverage test_numba format check check-format check_style check-actions clean
 
 help:
 	@echo "Commands:"
@@ -42,7 +45,7 @@ format:
 	black $(CHECK_STYLE)
 	burocrata --extension=py $(CHECK_STYLE)
 
-check: check-format check-style
+check: check-format check-style check-actions
 
 check-format:
 	isort --check $(CHECK_STYLE)
@@ -52,6 +55,9 @@ check-format:
 check-style:
 	flake8 $(CHECK_STYLE)
 
+check-actions:
+	zizmor $(GITHUB_ACTIONS)
+
 clean:
 	find . -name "*.pyc" -exec rm -v {} \;
 	find . -name "*.orig" -exec rm -v {} \;
diff --git a/env/requirements-style.txt b/env/requirements-style.txt
index 9dcec7cc..95e51d73 100644
--- a/env/requirements-style.txt
+++ b/env/requirements-style.txt
@@ -11,3 +11,4 @@ flake8-simplify
 flake8-unused-arguments
 pep8-naming
 burocrata
+zizmor
diff --git a/environment.yml b/environment.yml
index ca823e77..852496ad 100644
--- a/environment.yml
+++ b/environment.yml
@@ -38,3 +38,4 @@ dependencies:
   - pep8-naming
   - pip:
     - burocrata
+    - zizmor