From f093adbb939fcecdc2e26fb2743362de9de90548 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Thu, 9 Apr 2026 23:10:26 -0700 Subject: [PATCH] chore(workflows): add github action linters [SECINT-75] Signed-off-by: Steve Beattie --- .github/workflows/actionlint.yaml | 55 +++++++++++++++++++++++++++++++ .github/workflows/zizmor.yaml | 46 ++++++++++++++++++++++++++ .github/zizmor.yml | 9 +++++ 3 files changed, 110 insertions(+) create mode 100644 .github/workflows/actionlint.yaml create mode 100644 .github/workflows/zizmor.yaml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml new file mode 100644 index 0000000..ceb32b2 --- /dev/null +++ b/.github/workflows/actionlint.yaml @@ -0,0 +1,55 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Action Lint +on: + pull_request: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + + push: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + +permissions: {} + +jobs: + action-lint: + permissions: + contents: read # Clone the repository + name: Action lint + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: block + allowed-endpoints: > + *.githubapp.com:443 + api.github.com:443 + github.com:443 + go.dev:443 + hooks.slack.com:443 + release-assets.githubusercontent.com:443 + + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Find yamls + id: get_yamls + run: | + set -ex + mapfile -t yamls < <(find .github/workflows -name "*.y*ml" | grep -v dependabot.) + echo "files=${yamls[*]}" >> "${GITHUB_OUTPUT}" + + - name: Action lint + uses: step-security/action-actionlint@d364e70a116a460ed220d67b1ca2f2579c48a40a # v1.69.1 + env: + SHELLCHECK_OPTS: "--exclude=SC2129" + with: + actionlint_flags: ${{ steps.get_yamls.outputs.files }} diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..161d7db --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,46 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Zizmor + +on: + pull_request: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + - 'action.yml' + push: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + - 'action.yml' + +permissions: {} + +jobs: + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + actions: read # Required by codeql-action/upload-sarif to get workflow run info + contents: read # Clone the repository + security-events: write # Upload SARIF results to Code Scanning + steps: + - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + pkg-containers.githubusercontent.com:443 + ghcr.io + + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..0812a03 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 +# +rules: + # adjust the default cooldown for non-security dependabot updates + # to 3 days, down from 7. + dependabot-cooldown: + config: + days: 3