From 64a064b983c802cea773ae20c86b06766d4a002f Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 10 Dec 2024 13:45:47 +0100 Subject: [PATCH] workflows: Add zizmor GHA Signed-off-by: Facundo Tuesca --- .github/workflows/zizmor.yml | 37 +++++++++++++++++++ cookiecutter.json | 3 +- .../.github/workflows/zizmor.yml | 36 ++++++++++++++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/zizmor.yml create mode 100644 {{cookiecutter.project_slug}}/.github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..962003a --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + # Run it for both this repo and the templated cookiecutter repo. + run: uvx zizmor --format sarif . {{cookiecutter.project_slug}}/.github/workflows > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/cookiecutter.json b/cookiecutter.json index 4e81261..8d61f41 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -31,7 +31,8 @@ "_copy_without_render": [ ".github/workflows/docs.yml", ".github/workflows/lint.yml", - ".github/workflows/tests.yml" + ".github/workflows/tests.yml", + ".github/workflows/zizmor.yml" ], "__prompts__": { "project_name": "Human-readable project name (translated into module slug and import)", diff --git a/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml b/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml new file mode 100644 index 0000000..f242ab6 --- /dev/null +++ b/{{cookiecutter.project_slug}}/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v4 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor