Skip to content

Commit

Permalink
Merge pull request #15 from planetscale/joem/zizmor-lints
Browse files Browse the repository at this point in the history
zizmor GHA linting
  • Loading branch information
joemiller authored Jan 6, 2025
2 parents 90e69d5 + 981a0ac commit 7dff9c6
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 18 deletions.
6 changes: 6 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
with:
go-version-file: go.mod
Expand All @@ -27,6 +30,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
with:
go-version-file: go.mod
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/licensing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false

- run: sudo gem install license_finder
- run: license_finder
20 changes: 2 additions & 18 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false

- name: Calculate new version with autotag
id: autotag
Expand All @@ -42,25 +43,8 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3

- name: Cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
id: cache
with:
path: |
go-pkg-mod
go-build
key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.sum') }}-v2

- name: inject go caches into docker
uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
with:
cache-map: |
{
"go-pkg-mod": "/go/pkg/mod",
"go-build": "/root/.cache/go-build"
}
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
cache-binary: false

- name: Build and push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/validate-renovate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ jobs:

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
Expand Down
36 changes: 36 additions & 0 deletions .github/workflows/zizmor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: GitHub Actions Security Analysis with zizmor

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

jobs:
zizmor:
name: zizmor latest via PyPI
runs-on: ubuntu-latest
permissions:
security-events: write
# required for workflows in private repositories
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- name: Install the latest version of uv
uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5

- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
with:
sarif_file: results.sarif
category: zizmor

0 comments on commit 7dff9c6

Please sign in to comment.