From a219853d49ed9f02a5ab2a38fb2e152962a6da7c Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 9 Jan 2025 21:30:37 +0000 Subject: [PATCH] CI: Add workflow that runs zizmor latest Source: woodruffw/zizmor@c6fef48587365328a3769766f7f4babf1c510213 --- .github/workflows/zizmor.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..25f14de877a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,31 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["*"] + +jobs: + zizmor: + name: zizmor latest via Cargo + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v4 + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + sarif_file: results.sarif + category: zizmor