File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # SPDX-FileCopyrightText: (C) 2026 Intel Corporation
2+ # SPDX-License-Identifier: Apache-2.0
3+ ---
4+
5+ name : Zizmor Scan
6+
7+ on :
8+ push :
9+ branches : [main]
10+ pull_request :
11+ branches : [main]
12+ workflow_dispatch :
13+
14+ permissions :
15+ contents : read
16+
17+ jobs :
18+ zizmor :
19+ permissions :
20+ contents : read
21+ security-events : write
22+
23+ runs-on : ubuntu-latest
24+
25+ env :
26+ ZIZMOR_VERSION : 1.20.0
27+
28+ steps :
29+ - name : Harden Runner
30+ uses : step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
31+ with :
32+ egress-policy : audit
33+
34+ - name : Checkout code
35+ uses : actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
36+ with :
37+ persist-credentials : false
38+
39+ - name : Install uv
40+ uses : astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
41+ with :
42+ enable-cache : false
43+
44+ - name : Run Zizmor
45+ run : |
46+ uvx zizmor=="$ZIZMOR_VERSION" \
47+ --format sarif \
48+ .github \
49+ > zizmor_scan_report.sarif
50+
51+ - name : Upload SARIF to GitHub Security
52+ uses : github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
53+ if : always()
54+ with :
55+ sarif_file : zizmor_scan_report.sarif
56+
57+ - name : Upload Zizmor report artifact
58+ uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
59+ if : always()
60+ with :
61+ name : zizmor-results
62+ path : zizmor_scan_report.sarif
63+ retention-days : 7
You can’t perform that action at this time.
0 commit comments