Merge pull request #76 from eclipse-esmf/75-add-leverage-sast-for-github-action-code

atextor · web-flow · commit 46307eaffa5b · 2026-02-23T06:59:33.000+01:00
Evaluate options to leverage SAST for GitHub action code
diff --git a/.github/workflows/antora-build.yml b/.github/workflows/antora-build.yml
@@ -5,16 +5,18 @@ on:
     - main
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e #v5.1.0
       with:
         distribution: 'temurin'
         java-version: '17'
@@ -24,7 +26,7 @@ jobs:
         ./mvnw -B generate-resources -Pantora
 
     - name: Deploy
-      uses: JamesIves/github-pages-deploy-action@4.0.0
+      uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
       with:
         branch: gh-pages
         folder: build/site
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,33 @@
+#
+# Copyright (c) 2026 Robert Bosch Manufacturing Solutions GmbH, Germany. All rights reserved.
+#
+name: GitHub Actions SAST (zizmor)
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (PR annotations)
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          advanced-security: false
+          version: v1.22.0
+          annotations: true
+          persona: auditor
+          min-severity: medium
