Skip to content

Commit 1d10619

Browse files
committed
ci: add zizmor scanning and harden workflows
Now that we build and publish images which are referenced in the manifest, let's harden the CI workflows using zizmor. This also matches what we did in chunkah: coreos/chunkah#122 Assisted-by: Pi (Claude Opus 4.6)
1 parent 1d9370b commit 1d10619

2 files changed

Lines changed: 51 additions & 13 deletions

File tree

.github/workflows/ci.yaml

Lines changed: 27 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -10,22 +10,28 @@ on:
1010
env:
1111
BINK_VERSION: v0.1.1
1212

13+
permissions: {}
14+
1315
concurrency:
1416
group: ci-${{ github.head_ref || github.ref }}
1517
cancel-in-progress: true
1618

1719
jobs:
1820
unit:
1921
runs-on: ubuntu-latest
22+
permissions:
23+
contents: read
2024
steps:
2125
- name: Checkout
22-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27+
with:
28+
persist-credentials: false
2329

2430
- name: Set up Go
25-
uses: actions/setup-go@v6
31+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2632
with:
2733
go-version-file: go.mod
28-
cache: true
34+
cache: true # zizmor: ignore[cache-poisoning]
2935

3036
- name: Unit tests
3137
run: make unit
@@ -46,7 +52,9 @@ jobs:
4652
IMAGE: ghcr.io/${{ github.repository }}
4753
steps:
4854
- name: Checkout
49-
uses: actions/checkout@v6
55+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
56+
with:
57+
persist-credentials: false
5058

5159
- name: Download bink release
5260
run: |
@@ -55,10 +63,10 @@ jobs:
5563
sudo chmod +x /usr/local/bin/bink
5664
5765
- name: Set up Go
58-
uses: actions/setup-go@v6
66+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
5967
with:
6068
go-version-file: go.mod
61-
cache: true
69+
cache: true # zizmor: ignore[cache-poisoning]
6270

6371
- name: Set up KVM
6472
run: sudo chmod 666 /dev/kvm
@@ -90,15 +98,21 @@ jobs:
9098

9199
- name: Push to GHCR
92100
if: github.event_name == 'push'
101+
env:
102+
ACTOR: ${{ github.actor }}
103+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
104+
SHA: ${{ github.sha }}
105+
REF: ${{ github.ref }}
106+
REF_NAME: ${{ github.ref_name }}
93107
run: |
94-
podman login -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} ghcr.io
95-
podman push bootc-operator:dev ${{ env.IMAGE }}:dev
96-
podman push bootc-operator:dev ${{ env.IMAGE }}:${{ github.sha }}
108+
podman login -u "${ACTOR}" -p "${GH_TOKEN}" ghcr.io
109+
podman push bootc-operator:dev "${IMAGE}":dev
110+
podman push bootc-operator:dev "${IMAGE}":"${SHA}"
97111
98-
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
99-
podman push bootc-operator:dev ${{ env.IMAGE }}:${{ github.ref_name }}
112+
if [[ "${REF}" == refs/tags/v* ]]; then
113+
podman push bootc-operator:dev "${IMAGE}":"${REF_NAME}"
100114
fi
101115
102-
if [[ "${{ github.ref }}" == refs/heads/main ]]; then
103-
podman push bootc-operator:dev ${{ env.IMAGE }}:latest
116+
if [[ "${REF}" == refs/heads/main ]]; then
117+
podman push bootc-operator:dev "${IMAGE}":latest
104118
fi

.github/workflows/zizmor.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Zizmor
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: ["**"]
8+
9+
permissions: {}
10+
11+
jobs:
12+
zizmor:
13+
name: Scan GHA workflows
14+
runs-on: ubuntu-24.04
15+
permissions:
16+
security-events: write # Required to upload SARIF files
17+
steps:
18+
- name: Checkout repository
19+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
with:
21+
persist-credentials: false
22+
23+
- name: Run zizmor
24+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

0 commit comments

Comments
 (0)